Hospitals have ‘holy grail of personal data,’ yet their spending lags on digital security

CHICAGO — When most people go to the hospital, data security is the last thing on their minds. They’re in pain, anxious and unsure. They want to be treated and return to their lives.

Yet sometimes patients still have cause to worry months after they leave the hospital. They’re discovering that data they gave to health systems — Social Security numbers, birth dates, health insurance information, medical information and credit card numbers — have been compromised in breaches.

In the past two years, 27 Illinois health care providers and companies have reported data breaches involving at least 500 patients. That includes a recent incident at Rush that may have exposed the information of 45,000 patients.

Yet health care providers, in general, tend to spend less on data security than companies in other industries. The shortfall is all the more glaring considering the sensitivity of the data, some experts say.

Health care providers spent about 5 percent of their total information technology budgets on security last year, according to Gartner, a global research and advisory company. By comparison, banking and financial services companies spent 7.3 percent, retail and wholesale spent 6.1 percent and insurance spent 5.7 percent. Across 13 industries measured, the average was 6 percent.