- Cybercriminals are putting more time and resources into stealing and monetizing protected health information (PHI), and the healthcare industry is growing increasingly concerned with the harvesting of credentials to gain access to an organization’s network to steal sensitive health information.
Demonstrating the extent of the health data security challenge, a survey by HIMSS earlier this year found that three-quarters of healthcare organizations experienced a significant security incident in the past 12 months.
These security incidents are expected to grow in sophistication, number, and complexity over the coming years.
The top concerns for healthcare organizations were data breaches, ransomware, and credential-stealing malware. The top threat actors were phishing attackers at 37.6 percent of respondents, negligent insiders, 20.8 percent, and hackers, 20.1 percent. Attackers most often used email to gain access to the organization, comprising 62 percent of breaches. Other means of gaining access to an organization’s network included web application attacks, compromised customer networks, weak passwords, misconfigured cloud servers, and human error.
Additionally, the survey found that most healthcare organizations’ cybersecurity programs have room for improvement. Significant barriers exist for remediating and mitigating security incidents, including lack of people and financial resources. Some organizations do not yet have formal insider threat management programs. Risk assessments widely vary from organization to organization, the survey found.
In its most recent Data Breach Investigations Report (DBIR), Verizon found that the healthcare industry had 750 cybersecurity incidents last year. Around 536 involved data disclosure. Medical data was the target of two-thirds of data breaches in the healthcare industry while personal information made up 37 percent.
DBIR also found that the healthcare industry is the worst when it comes to stopping insider data breaches. In fact, the healthcare industry was the only sector that had more internal actors behind data breaches than external actors.
This poor state of healthcare data security has lead to anxiety among consumers about their PHI. According to a survey of more than 2,000 US adults by The Harris Poll, around half of the respondents were extremely or very concerned about the security of their PHI (e.g., diagnoses, health history, test results). The survey also found that US adults are most concerned about diagnosed medical conditions and diseases being mishandled or shared without their permission.
Around one-third of those respondents currently use an online portal to access their PHI, with those older than 34 more likely to use a portal than 18- to 34-year-olds — 39 percent to 28 percent, respectively. Among those who chose not to use an online health portal, the top reasons cited were a preference for discussing their health in person and concerns about the security of accessing their health information online.
In a study released earlier this year by the Office of the National Coordinator for Health Information Technology, 25 percent of individuals who were offered access to their online medical records did not access that information because of patient privacy and security worries.
And the costs of healthcare data breaches are well documented. The annual study of data breach costs by the Ponemon Institute estimated that healthcare data breach costs average $408 per record in 2018, the highest of any industry and nearly three times higher than the cross-industry average of $148 per record. The study found that the average cost of a data breach across industries and countries is $3.86 million, a 6.4 percent increase from 2017 and a nearly 10 percent net increase over the past five years.
The study analyzed hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation. It found that costs are heavily impacted by the amount of time spent containing a data breach, as well as investments in technologies that speed response time.
There are obviously many challenges to securing patient data out there and high emotional and financial costs for failing to do so. In the next article in this series, we will look at some of the proposed solutions.