A survey of U.S. health IT security professionals has found that 70 percent of them believe that senior healthcare managers do not view privacy and data security as a priority.
The survey was sponsored by the San Jose, Calif.-based security management company LogLogic and conducted by the Traverse City, Mich.-based Ponemon Institute. Ponemon surveyed 542 senior IT practitioners from healthcare organizations with an average of more than 1,000 employees about how secure they believe patient EMRs are. The average experience for respondents was 11.9 years in the field.
Within the past year, 80 percent of the survey respondents had experienced at least one incident of lost or stolen electronic health information. Within the last year 38 percent had one breach of security, 28 percent experienced two to three breaches, 10 percent experienced four to five breaches and 4 percent experienced more than five breaches of security.
The survey’s results showed the estimated value of the cost of a data breach on a per compromised record basis: 55 percent of respondents say the cost of a lost or stolen record is more than $150. The extrapolated average value is $211 per patient record.
Of those facilities that experienced data breaches, 33 percent of respondents said more than 90 percent of their organization’s data breaches involved electronic health information stored on databases.
More than two-thirds of these healthcare organizations had already digitized at least a quarter of their patient records and a third had digitized more than half.
One of the key findings in the report was that 53 percent of respondents said their organization fails to take appropriate steps to protect the privacy rights of patients. Only 19 percent responded that existing security measures were “very effective,” while 24 percent responded that measures were “effective.”
The report concluded that the lack of resources and support from senior management may be putting electronic health information at risk. With 61 percent of respondents believing that their organizations do not have ample resources to ensure privacy and data security requirements are met, the authors further suggested that databases containing a lot of electronic personal health information put healthcare organizations at risk.