Data breaches at U.S. healthcare organizations cost providers more than $6 billion a year and despite this expensive and embarrassing revelation, the vast majority of hospitals and clinics still lack both the inclination and resources to make protecting patient data a priority.

The findings, detailed in a new report sponsored by security software provider ID Experts and privacy and data protection research firm Ponemon Institute, were derived from interviews with 211 senior managers at 65 U.S. healthcare organizations.

The study found that the average healthcare organization incurred 2.4 significant data breaches in the past two years, costing each hospital more than $2 million per organization. The most common factors resulting in these costly incidents are unintentional employee action, lost or stolen computing devices and third-party error.


"Our research shows that the healthcare industry is struggling to protect sensitive medical information, putting patients at risk of medical identity fraud and costing hospitals and other healthcare services companies millions in annual breach-related costs," Larry Ponemon, founder of the Traverse, Mich.-based security research firm, wrote in the report.

Despite the 2009 enactment of the HITECH Act, a piece of legislation that was included as part of the federal stimulus bill that gives regulatory agencies the teeth to enforce security and privacy components of previously passed HIPAA regulations and standards, healthcare providers still aren't doing enough to safeguard patient records.

In fact, according to the study, most aren't even making patient privacy and data security a priority.

Seventy percent of hospitals said that protecting patient data is not a top priority and 67 percent reported having less than two staff members dedicated to data protection management.

Fifty-eight percent of respondents said they have "little or no confidence" in their ability to adequately protect patient records and 71 percent admitted they have inadequate resources to implement the technology and procedures required to lockdown millions of individual patient files.

A similar study released in August by security software vendor Imprivata found that most healthcare providers are more concerned with converting reams of paper records to electronic medical records than spending the money and investing the personnel required to prevent data breaches.

"At this point, one would hope to see that healthcare organizations have improved information security practices and come into compliance with HITECH, now that it's been more than one year since it was enacted," Ponemon said. "Instead we found enormous vulnerabilities. The protection of patient data should be at the forefront of their efforts."

Along those lines, 71 percent of senior managers queried said they didn't think the HITECH Act regulations have significantly changed the management practices of patient records.

In an effort to hold hospitals and others responsible for patient data accountable for their lax security practices, some states are handing out stiff fines for repeated security failures.

In June, the California Department of Public Health fined five hospitals a total of $675,000 for failing to secure patient data.

"We talk with healthcare compliance people dealing with data breach risks every day and they just can't get their arms around the problem of data exposure," Rick Kam, president and co-founder of ID Experts, said in the report. "Unfortunately, in healthcare organizations, patient revenue trumps risk management."

Larry Barrett is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

To keep up-to-date on data security issues, follow eSecurityPlanet on Twitter @eSecurityP.