A full 89% of healthcare organizations and 60% of their business associates have experienced data breaches over the past two years. And 79% of healthcare organizations experienced multiple data breaches (two or more) in that time period—up 20% since 2010.
Overall, breaches in healthcare are costing the industry $6.2 billion per year, according to the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted by Ponemon Institute and sponsored by ID Experts. They remain consistently high in terms of volume, frequency, impact and cost.
In fact, breaches have yet to decline since 2010—despite a slight increase in awareness and spending on security technology. More than one-third, or 34%, of healthcare organizations experienced two to five breaches. And nearly half of healthcare organizations, or 45%, had more than five breaches.
While recent large healthcare data breaches have heightened the industry's awareness of the growing threats to patient data and have led to an improvement in security practices and policy implementation, respondents say that not enough is being done to curtail or minimize the risks.
Criminal attacks are the leading cause of data breaches in the vertical—up 5% to 50% this year. Medical records are the most commonly exposed data, followed by billing and insurance records, and payment details. While the majority of breaches are small (under 500 records) and are not reported to the US Department of Health and Human Services (HHS) and the media, the financial impact is significant.
Hackers aren’t the only issue for the sector. Mistakes (unintentional employee actions, third-party snafus and lost/stolen computer devices) are cited as the root cause of the other half of data breaches.
"In the last six years of conducting this study, it's clear that efforts to safeguard patient data are not improving. More healthcare organizations are experiencing data breaches now than six years ago," said Larry Ponemon, chairman and founder, Ponemon Institute. "Negligence—sloppy employee mistakes and unsecured devices—was a noted problem in the first years of this research and it continues. New cyber threats, such as ransomware, are exacerbating the problem."
And, hospitals and clinics also lack the budget, people resources and expertise to manage data breaches caused by employee negligence and evolving cyber threats, including the newest threat cited for 2016: ransomware. Nearly half of healthcare organizations, and more than half of their business associates, have little or no confidence that they can detect all patient data loss or theft. The findings also show that as a result, many healthcare organizations and their third-party business associates are negligent in the handling of sensitive patient information.
In fact, 59% of healthcare organizations and 60% of business associates don't think their organization's security budget is sufficient to curtail or minimize data breaches. The findings also reveal that BAs and healthcare organizations point their fingers at each other. Healthcare organizations say that third parties and partners are not doing enough, and BAs say that healthcare organizations are not investing in technology and employees are negligent.
Unfortunately, patients are suffering the effects of data breaches. About 38% of healthcare organizations and 26% of business associates are aware of medical identity theft cases affecting their own patients and customers. Yet despite the known risks, 64% of healthcare organizations and 67% of BAs don't offer any protection services for victims whose information has been breached.
There’s not just ID theft to worry about. About 58% of healthcare organizations and 67% of BAs do not have a process in place to correct errors in victims' medical records. Such errors can leave a patient vulnerable to receiving the wrong medical treatment or obtaining the wrong medications.
"This is about real people and the exposure of their sensitive information," said Rick Kam, CIPP/US president and co-founder of ID Experts. "The lack of accountability is a big issue in the healthcare industry, with a lot of finger pointing going on. To get a better handle on internal data threats, healthcare organizations can start by getting back to basics with employee training, mobile device policies, regular data risk assessments, and enforceable internal procedures."
The findings aren’t that surprising, given that a recent survey conducted by the Nasdaq and Tanium found that more than 90% of corporate executives admitted to not being able to read or understand a cybersecurity report, and 40% felt no personal responsibility for cybersecurity or securing customer data.
"The findings of the Ponemon study are consistent with what most would have guessed about the state of security in the healthcare industry,” said Adam Laub, SVP of product marketing at STEALTHbits Technologies. “It’s also not surprising that BA’s and healthcare organizations are pointing fingers at each other either; and they’re both right. If you want to point a finger, point it up. Until corporate executives in the healthcare industry feel the same level of pressure concerning the security of their corporate networks and are measured as such, like they are from a financial perspective, this problem will persist."
Photo © SonicN