Healthcare Data Breach Preparedness Study Raises Concerns

A new study released by Experian Data Breach Resolution & the Ponemon Institute has raised a number of concerns about healthcare data breach preparedness. The study – Is Your Company Ready for a Big Data Breach? – was primarily conducted on healthcare and pharmaceutical industry professionals with responsibility for privacy, security and compliance with state and federal regulations. Key figures in the retail and financial industries were also asked their opinions on healthcare data breach preparedness.

Every Organization Holding PHI is likely to Suffer a Data Breach

Every organization holding PHI or other sensitive material is likely to suffer a data breach. It is just a case of when it will happen. The 571 individuals who took part in the survey know that all too well. All claimed to have suffered a data breach in the past, while more than half (52%) had suffered multiple data breaches.

76% of respondents said they expect to suffer a data breach that will result in a loss of business, and 75% said data breaches result in negative public opinion.

The majority of organizations suffering multiple data breaches had more than 1000 employees. This is partly due to larger organizations being more likely to be targeted by hackers and criminals, but in the most part it is due to the huge risk that employees pose to data security.

Healthcare Data Breach Preparedness A Major Concern

Healthcare data breach preparedness was found to be lacking. Many healthcare providers had simply not done enough to ensure a fast breach response, and those with policies in place to deal with a healthcare data breach still have a considerable amount of work left to do to bring data security standards up to the level required by HIPAA.

The key findings of the study have been listed below:

  • Only 21% of respondents said their organization had set up an internal communications team to manage the data breach response and communicate with customers, while less than a third (30%) offered training to staff on how to deal with data breach questions from patients.
  • Only 61% of organizations operating BYOD schemes test mobile devices for security flaws before allowing them access to the network. 78% of organizations have a BYOD scheme in operation.
  • When it comes to the breach response, HIPAA-covered entities are struggling to identify the patients that have been affected, especially those that have suffered harm as a result of the breach.
  • Only 26% of respondents believed they would be able to accurately determine which individuals had been affected, while just 23% said they felt confident of identifying harm to data breach victims.
  • A data breach response plan is in place at only 61% of organizations
  • Less than half of organizations encrypt data at rest (46%)
  • Only 44% believe they have effective user authentication systems in place.
  • When an employee leaves an organization, access to data must be terminated immediately. Only 43% of companies have such a policy in place.
  • Just 67% have a dedicated breach response team

The report also provides information on actions that can be taken to address all of the above issues and details some of the robust policies and procedures that must be implemented to protect data and respond rapidly when a data breach occurs. The full report can be downloaded here.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of