Health Care Industry Unprepared for Data Breaches, Reports Find


Many health care organizations lack proper procedures to prevent data breaches or mitigate damages in the event that a data breach occurs, according to two recent reports on cybersecurity practices in various industries, American Medical News reports.

Ponemon Institute/Experian Data Breach Resolution Report

One report -- prepared by the Ponemon Institute on behalf of Experian Data Breach Resolution -- examined how organizations in several industries, including health care, are working to prevent and respond to data breaches.

It found that although health care organizations have a clear understanding of the risks and potential consequences of data breaches, many are not taking adequate steps to protect themselves. Among the surveyed health care organizations, the report found that:

  • 94% reported experiencing a data breach in the past two years;
  • 39% said they had no data breach response plan in place;
  • 30% said they had trained customer service staff to respond to data breach-related questions;
  • 21% said they had trained communications teams to respond to questions about a data breach; and
  • 19% said they are equipped with appropriate tools to determine the size and cause of a data breach.

Michael Bruemmer -- vice president at Experian Data Breach Resolution -- said that many organizations, including physician practices, do not believe they could be a victim of a data breach. He added, "Sometimes organizations need to experience an incident to understand firsthand the impact."

Verizon Report

A separate report, published by Verizon, analyzed more than 47,000 breaches across multiple industries, including health care.

Suzanne Widup, senior consultant with the Verizon Risk Team, said that health care organizations are considered "easy targets" by cyber criminals who generally are looking for financial information, not health information.

Widup said that health care providers often take steps to protect patients' medical information but are less focused on protecting patients' financial information. Widup said, "So the fact they are targeted for something they are not expecting leaves them more vulnerable if they are not putting their defenses where they are likely to be targeted."

Recommendations From Experts

According to American Medical News, data security experts recommend that every physician practice have a data breach response plan in place. Experts note that a basic data breach response plan should include efforts to:

  • Determine the cause and scope of the breach;
  • Identify and contact those affected by the breach, as well as HHS' Office for Civil Rights;
  • Help those affected by the breach; and
  • Respond to questions about the breach (Dolan, American Medical News, 4/29).

to share your thoughts on this article.