- As a new story about hospital ransomware or a stolen laptop containing PHI seemingly emerges every day, it comes as no surprise that healthcare data breaches have steadily increased in frequency and severity since 2010.
Researchers at the Ponemon Institute and ID Experts found that the volume of healthcare data breaches has not declined in the past six years, which has substantially affected the industry’s financial resources and reputation.
The annual study on healthcare data security revealed that the average cost of a data breach for a healthcare provider is around $2.2 million and $1 million for a business associate. Overall, healthcare data breaches have cost the industry about $6.2 billion.
Researchers also found that almost half of the covered entities surveyed stated that their organization experienced at least five healthcare data breaches within two years.
“In the last six years of conducting this study, it's clear that efforts to safeguard patient data are not improving. More healthcare organizations are experiencing data breaches now than six years ago,” said Ponemon Institute Chairman and Founder Larry Ponemon, PhD. “Negligence—sloppy employee mistakes and unsecured devices—was a noted problem in the first years of this research and it continues. New cyber threats, such as ransomware, are exacerbating the problem.”
Researchers revealed that criminal attacks were the top reason behind healthcare data breaches. Half of the participating organizations and 41 percent of business associates reported that cyberattacks were the cause of most data security incidents that occurred.
In terms of healthcare cyberattacks, survey respondents were most concerned with denial of service threats followed up by ransomware and malware.
Despite the prevalence of cybersecurity incidents, the study showed that the majority of healthcare organizations and business associates were most concerned with negligent or careless employees causing healthcare data breaches.
When asked what the greatest threat was to healthcare data security, the majority of healthcare organizations stated employee inaction or error (69 percent). Rounding out the top three concerns were cybercriminals at 45 percent and the use of insecure mobile devices at 36 percent.
Employee error was also the top concern for business associates (53 percent), followed by use of cloud services (46 percent) and cyberattacks (36 percent).
In general, covered entities and business associates credit the rise in healthcare data breaches to the sensitivity of health-related information and the large number of “data touch” points, such as different healthcare employees or third parties accessing patient information.
Almost 70 percent of providers and 63 percent of business associates believed that the healthcare industry was at a greater risk for data security incidents than any other industry.
Additionally, survey participants reported that their healthcare data security budgets were not sufficient to manage a data breach. About 10 percent of providers and 11 percent of business associates claimed that their budget had decreased. Nearly half of all respondents stated that their security budget stayed the same.
Despite staunch budgets, the survey uncovered that healthcare organizations and business associates are increasing data security measures.
In this year’s survey, more providers (71 percent) said that their organization implemented a security response process with the help of health IT, information security, and compliance departments. Only 69 percent of organizations reported a response plan last year.
For business associates, 64 percent of participants claimed to have a collaborative healthcare data security incident response plan.
More providers and their affiliates also have established policies and procedures to prevent or detect a healthcare data breach compared to last year. Sixty-three percent of providers stated that their organization implemented policies and procedures and 57 percent said that their organization has the technical expertise to effectively mitigate a breach.
“This is about real people and the exposure of their sensitive information,” said CIPP/US President and ID Experts President and Co-founder Rick Kam. “The lack of accountability is a big issue in the healthcare industry, with a lot of finger pointing going on. To get a better handle on internal data threats, healthcare organizations can start by getting back to basics with employee training, mobile device policies, regular data risk assessments, and enforceable internal procedures.”
In response to the Ponemon and ID Experts survey, the College of Healthcare Information Management Executives (CHIME) urged the healthcare industry to advance cybersecurity by collaborating with different sectors, such as medical device manufacturers or governmental task forces.
CHIME explained that these new partnerships will encourage better and more secure data sharing techniques and improved cybersecurity measures.
“No single sector of the healthcare ecosystem can solve the problem alone,” explained CHIME in an official press release. “Only by pulling together and sharing best practices can we thwart cyber criminals and protect patients.”