- Large-scale data breaches, like the ones that have been affecting the healthcare industry in recent years, are a key issue in several industries. Numerous organizations are becoming highly concerned about the possibility of being affected by one.
In fact, 80 percent of organizations handling sensitive information report concern for large-scale data breaches, according to a survey conducted by Advisen. This survey included organizations from several different industries, but the most highly represented industry was healthcare, comprising 22 percent of the respondent sample.
Despite the growing concern for large-scale data breaches, the study’s authors report that organizations may not be doing enough. While three quarters of respondents report having some sort of data breach response plan, these plans may not go through rigorous enough testing.
Although 42 percent of respondents say they do test their response plans, another 41 percent say they do not test their plan or that they do not know if they test it.
Such numbers may be credited to a lack of organizational communication, the researchers note. Because a majority of organizations (60 percent) solely rely on the IT department to mitigate breaches, not all members of an organization may know about the breach mitigation plans.
This points to another problem, the researchers say, because breach response should ideally include a diverse array of organization members rather than just one department.
“Cybersecurity experts recommend that a breach response team consist of a cross-section of internal personnel as well as external members,” the report says. “Data breach response teams often include executive management, legal, privacy/compliance, IT, information security, risk management, and other stakeholders from the company’s various business units. External members often include privacy counsel, computer forensics and breach response specialists, and a crisis management firm.”
In addition to risk assessments and breach response plans, organizations employ cyber insurance to help them in the event of a massive healthcare data breach. However, the report suggests that cyber insurance shouldn’t be an organization’s only method of defense against a data breach.
In fact, most organizations who have cyber insurance don’t tend to get much use out of it. Over half of them haven’t had a data breach within the past 12 months, and a quarter of them report that over 90 percent of their data breaches cost less than their insurance’s deductible.
About half of these organizations also look to private vendors to help them with their data security efforts, namely in the realm of pre-breach services, forensics, and protection services such as credit monitoring for potentially affected customers.
Taking these kinds of measures is very important, especially considering how prevalent healthcare data breaches have been in the past year. Last year alone saw millions of patient files compromised, and a total of 258 large-scale data breaches.
Massive breaches like the ones at Anthem, Premera Blue Cross, and the rest of the top 10 healthcare data breaches of 2015 helped account for nearly 100 million patient files breached. Some healthcare organizations like UCLA Health even experienced more than one healthcare data breach, the first of which occurred in July and the second in September.
Healthcare industry experts have expressed worry for large-scale data breaches prior to this survey, as well. At the end of last year, Experian released a survey showing that healthcare cybersecurity was the top concern for professionals going into 2016. Considering the past year the healthcare industry has had with regard to security, those worries are not unfounded.
“We predict that healthcare companies will remain one of the most targeted sectors by attackers, driven by the high value compromised data can command on the black market, along with the continued digitization and sharing of medical records,” Experian explained in it research. “With the move to electronic health records (EHRs) continuing to gain momentum and becoming more widely accessible through mobile applications, the attack surface continues to grow.”
Going forward, healthcare professionals will need to ensure they step up their testing and risk mitigation measures, ensuring that their organizations are not only taking adequate prevention measures, but are also ready to respond should an incident occur.
Image Credits: Advisen