- Healthcare cyber attacks continue to make headlines, but recent research shows that such criminal attacks are on the rise in the industry. Since 2010, there has been a 125 percent increase in criminal attacks in the healthcare industry, according to the annual healthcare privacy and security study by Ponemon.
The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data took responses from 90 covered entities and 88 business associates (BAs), and found that healthcare data breaches continue to be costly to the industry. Specifically, data breaches could be costing healthcare $6 billion, according to the results. The average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million, with the average cost of a data breach to BAs at more than $1 million.
A key finding from the study is that there is an increase in criminal attacks on healthcare organizations, and that this is now the leading cause of data breaches in the industry. Forty-five percent of CEs reported that the root cause of the data breach was a criminal attack and 12 percent say it was due to a malicious insider. For BAs, 39 percent said a criminal attacker caused the breach and 10 percent reported it was because of a malicious insider.
“We are seeing a shift in the causes of data breaches in the healthcare industry, with a significant increase in criminal attacks. While employee negligence and lost/stolen devices continue to be primary causes of data breaches, criminal attacks are now the number one cause,” Ponemon Institute Chairman and Founder Dr. Larry Ponemon said in a statement. “Since first conducting this study, healthcare providers are starting to make investments to protect patient information, which need to keep pace with the growing cyber threats.”
While the majority of CEs - 58 percent - reported that policies and procedures are in place to effectively prevent or quickly detect unauthorized patient data access, loss or theft, just 49 percent said they had sufficient technologies in place. Facilities could also be lacking the right staff members for data privacy and security matters, as 53 percent of CE respondents said they have staff members with the necessary technical expertise to identify and resolve data breaches.
Facilities’ approaches to HIPAA risk assessments could also stand for improvement, as 50 percent of surveyed CEs said that they perform a 4-factor risk assessment following each security incident that involves electronic information. Approximately one-third of respondents said they use an ad-hoc process, while 27 percent said they use a manual process or tool that was developed internally.
Even with the increase in criminal attacks, 70 percent of CEs surveyed said that their greatest security concern was employee negligence. Forty percent reported that cyber attackers were their top worry, with 33 percent citing concern over using public cloud services. The bottom three concerns were system failures, insecure mobile apps, and insecure medical devices.
The Ponemon study potentially uncovered the reason that healthcare organizations were concerned over employee negligence. Even with the increase in criminal attacks, 96 percent of respondents said they had a security incident caused by lost or stolen devices. Spear phishing was the reason for a data breach for 88 percent of respondents.
Along with healthcare data breaches, it is also essential for CEs and BAs to take note of all security incidents. An issue might not seem relevant, but it could lead to greater problems for an organization.
“As part of everyday business, there are exponentially more security incidents than data breaches,” Ponemon explained in a statement. “Under federal law, all security incidents need to be assessed to determine if they are data breaches that require reporting. The study’s findings indicate that organizations are not thoroughly assessing their security incidents.”
Other key findings from the Ponemon report include:
- 99 percent of healthcare organizations had one data breach
- 39 percent experienced two to five data breaches
- 40 percent had more than five data breaches over the past two years
- 59 percent of BAs experienced data breaches
- 14 percent of BAs experienced two to five data breaches
To read about Ponemon's complete findings, click here.