Data breaches costly, but hospital execs say EHRs can prevent leaks

If you think data breaches don't cost hospitals, think again. The impact of a data breach is about $1 million per hospital per year, and the lifetime value of a lost patient is $108,000, according to a study by the non-profit Ponemon Institute, which surveyed executives at 67 healthcare organizations about data breaches over the last two years. Overall, data leaks cost U.S. hospitals $6 billion a year.

"You can't just give patients some sort of discount and win them back," says Ponemon founder Larry Ponemon. "In a trusted industry like healthcare, there's a high expectation of good stewardship of personal information, and when that confidence is lost it leads to customer churn."

But the good news, as it were, is that hospital executives are optimistic that EHRs will help plug potential data leaks. Ponemon found that 74 percent of survey respondents who had implemented EHRs indicated that the systems have augmented data security, reports Forbes security blogger Andy Greenberg.

Still, patients are much more touchy about data losses that breach their privacy than customers in other industries. According to Ponemon, the customer losses and brand damage may add up to $471 per customer record leaked, compared to $205 per compromised record for all industry breaches.

Even one year after the passage of the American Recovery and Reinvestment Act, which widened the privacy and security protections under HIPAA, healthcare organizations are not focusing on protecting patient information. Seventy percent of hospitals surveyed stated that protecting patient data is not a priority. And the majority of respondents said they don't believe the ARRA significantly changed management practices surrounding patient records. Findings also hint that a significant number of data breaches go undetected and unreported.

About seven in 10 of those surveyed said their healthcare organization did not have enough policies and procedures in place to prevent and quickly detect patient data loss. Another problem most cited was lack of resources.

"We talk with healthcare compliance people dealing with data breach risks every day and they just can't get their arms around the problem of data exposure," Rick Kam, president and co-founder of ID Experts, which sponsored the survey, said in a statement.  "Unfortunately, in healthcare organizations, patient revenue trumps risk management."

To learn more:
- read the Ponemon press release
- access the report here (reg. required)
- read Greenberg's Forbes commentary

Neil Versel contributed to this article.