Most health IT execs unprepared for a data breach

Health IT executives aren't exactly prepared to weather any storm--most don't feel prepared for security breaches or unplanned outages, according to a new survey.

More than half (56 percent) of the survey's respondents said they would need eight hours or more to restore 100 percent of data lost in a breach. The majority of the 283 health IT executives surveyed--82 percent--said that their technology infrastructure is "not fully prepared for a disaster recovery incident."

The following incidents cost U.S. hospitals an estimated $1.6 billion a year, according to an announcement of the MeriTalk survey results:

  • Security Breaches: Nearly one in five (19 percent) global healthcare organizations experienced a security breach in the last 12 months at a cost of $810,189 per incident. Health IT executives said the most common causes for breaches included malware and viruses (58 percent); outsider attacks (42 percent); physical security--loss/theft of equipment (38 percent); and user error (35 percent).
  • Data Loss: Nearly one in three (28 percent) global healthcare organizations experienced data loss in the past 12 months at a total cost of $807,571 per incident. And, of those, more than one-third (39 percent) had experienced five or more incidences of data loss in the past 12 months. Common causes of data loss included hardware failure (51 percent); loss of power (49 percent); and loss of backup power (27 percent).
  • Unplanned Outages: Close to 40 percent of all global healthcare organizations experienced an unplanned outage in the past 12 months at a cost of $432,000 per incident. On average, healthcare organizations lost 57 hours to unplanned downtime over the past 12 months. The most common causes of outages included hardware failure (65 percent); loss of power (49 percent); software failure (31 percent); and data corruption (24 percent).

What are organizations doing to prepare for breaches? Many groups are preparing HIPAA security risk analyses as part of the Meaningful Use incentive program. Additionally, organizations are turning to single-sign-on and authentication for Web-based applications and portals, auditing tools and log management and encryption for protected health information. 

As FierceHealthIT recently reported--of late, the "wall of shame" for health data breaches at the U.S. Department of Health & Human Services has seen a lot of action. In the month of January alone, more than 70 health data breach incidents affecting more than 500 individuals were added.

A report published in December 2012 by the Ponemon Institute determined that data breaches cost health organizations close to $7 billion annually. Still, privacy experts speaking last summer at the Healthcare Privacy Summit in Washington, D.C., called current efforts to deal with health data security too reactive.

To learn more:
- read the announcement
- download the study here