Survey: No Cure In Sight for Healthcare Data Breaches
Nearly 90 percent of healthcare organizations were the victims of a data breach in the past two years, and 45 percent had more than five data breaches during that same time period.
Criminal attacks are the leading cause of these health data breaches, with 50 percent of healthcare organizations and 41 percent of business associates reporting such attacks, while employee mistakes, third-party snafus, and stolen computer devices are the cited reasons for the other breaches.
Those are among the findings of a new study by the Ponemon Institute, sponsored by software and services vendor ID Experts, in which denial-of-service attacks, ransomware, malware, and phishing are listed as the top cyber threats facing healthcare organizations and business associates.
As the cyber threat has continued to grow, 79 percent of healthcare organizations experienced multiple data breaches (two or more) in the past two years—up 20 percent since 2010. And, 34 percent of healthcare organizations experienced two to five breaches.
Rick Kam, president of ID Experts, notes that the 2016 report is the sixth annual report produced in partnership with the Ponemon Institute and that the there’s not a lot of change in the statistics over the years. “That in itself seems to be an issue,” he says. “The numbers, frequency, and severity of breaches in the healthcare sector continue to be high.”
Kam believes the problem is only going to get worse before it gets better. In that regard, the study also found that although most surveyed organizations believe they are vulnerable to a data breach, they are unprepared to address new threats such as ransomware and lack the resources to protect patient data.
“The healthcare industry has been under attack for years and despite all of that these organizations are just not making investments in security or they’re making investments that lag other industries such as financial services,” adds Larry Ponemon, chairman and founder of the Ponemon Institute.
In fact, 59 percent of healthcare organizations and 60 percent of business associates surveyed don’t think their organization’s security budget is sufficient to curtail or minimize data breaches.
These organizations are in the unenviable position of either paying now by investing in cyber defense or paying later in terms of financial losses.
As the report reveals, data breaches are costing the healthcare industry $6.2 billion annually, with the average cost of data breaches for covered entities surveyed now standing at more than $2.2 million while the average cost to business associates in the study pegged at more than $1 million. Medical records are the most commonly exposed data, followed by billing and insurance records, and payment details.
In the study, 38 percent of healthcare organizations and 26 percent of business associates are aware of medical identity theft cases affecting their own patients and customers. Nonetheless, 64 percent of healthcare organizations and 67 percent of BAs surveyed don’t offer any protection services for victims whose information has been breached.
“The fact that healthcare is bearing the brunt of cyberattacks is no surprise, given the unique black market value of the complete sets personal information sitting in electronic medical records, including patient names, family history, Social Security Numbers, and billing information,” commented Dylan Sachs, director of identity theft and anti-phishing for security vendor BrandProtect.
“What is remarkable, however, is the level of sophistication these cyber criminals have achieved. We’ve recently witnessed a wave of elaborate attacks designed specifically to penetrate healthcare organizations. It seems clear that security measures must evolve to include aggressive, proactive monitoring for suspicious activities outside traditional security perimeters.”
The College of Healthcare Information Management Executives similarly has raised a red flag about the epidemic of data breaches.
“As the Ponemon Institute report details, the cyber threat landscape has never been more dangerous,” said Russell Branzell, CHIME’s president and CEO, in a written statement. “To better safeguard our systems, we must improve information sharing across the industry. CHIME was a leading advocate for including healthcare-specific provisions in the Cybersecurity Information Sharing Act of 2015.”
The CISA act would establish a cybersecurity framework specifically focused on healthcare and instructs the Department of Health and Human Services to identify a specific leader on cyber preparedness, as well as directs HHS to create a series of best practices for health industry leaders to follow—on a voluntary basis—to help them keep their organization’s data as secure as possible.
To download the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data, visit here (registration required).