The healthcare industry has made little progress in reducing data breaches, according a new analysis of the past three years by the Health Information Trust Alliance (HITRUST).

HITRUST's retrospective analysis of breaches affecting 500 or more individuals suggested a modest decline in the total number of breaches since 2009, officials say, but that overall the industry's susceptibility to certain types of breaches has been largely unchanged since new HIPAA and HITECH Act regulations took effect and breach data became available from the U.S. Department of Health and Human Services (HHS).

"While the data itself is not terribly surprising, it does serve as a critical reminder of the education and improvement that still needs to occur across the industry, regardless of organization type and size," said Daniel Nutkis, chief executive officer of HITRUST.

HHS data shows that since 2009 the industry has experienced 495 breaches involving 21 million records at an estimated cost of $4 billion, the HITRUST report shows.

[See also: Breaches epidemic despite efforts at compliance, says Kroll.]

With the number of total breaches each year remaining fairly consistent, some of the few providers who have shown some improvement are hospitals and health systems, which collectively experienced a decline of 71 percent from 2010 to 2011 in the number of breaches, and for the first two quarters of 2012 has only experienced 14 breaches (compared with a total of 48 for 2011).

Health plans have also seen a downtick in breaches since 2009, the report shows.

The HITRUST study suggests Stage 1 meaningful use may have incentivized better security practice – or at least increased awareness about the need for them – especially when it comes to laptops, desktops and mobile media.

Still, officials say, the data indicates that physician practices, which should be similarly motivated by meaningful use incentives as hospitals, have shown very little progress. This is especially true of smaller physician practices, where those with one-to-100 employees account for over 60 percent of the breaches reported in the segment. The report's findings suggest organizations such as these lack the awareness and resources needed to preempt future breaches.

As the interconnectivity of organizations increases through community health records and health information exchanges, small practices may pose a new and significant risk to larger entities that have begun to get a handle on security and privacy, say HITRUST officials.

One surprising – and suspicious – finding in the survey is that reported hacking and malware infections remain low, accounting for just 8 percent of the breaches.

"Data we receive from other sources strongly indicates that U.S. healthcare organizations of all types are experiencing data loss due to viruses, attacks by cyber criminals, password sharing by clinicians and the prevalence of vulnerabilities in electronic health record (EHR) technologies that are not communicated," said Nutkis.

This past July, HITRUST launched the Cyber Threat Analysis Service (CTAS), in partnership with iSIGHT Partners, to identify and analyze cyber threats to the U.S. healthcare industry.