The healthcare industry is experiencing a surge in data breaches, security incidents, and criminal attacks—exposing millions of patients and their medical records, according to the Ponemon Institute.
The study reveals that criminal attacks in healthcare are up 125 percent since 2010 and are now the leading cause of data breach. The findings also show that most healthcare organizations are still unprepared to address this rapidly changing cyber threat environment and lack the resources and processes to protect patient data.
According to the FBI, criminals are targeting the information-rich healthcare sector because individuals’ personal information, credit information, and protected health information (PHI) are accessible in one place, which translates into a high return when monetized and sold.
“We are seeing a shift in the causes of data breaches in the healthcare industry, with a significant increase in criminal attacks. While employee negligence and lost/stolen devices continue to be primary causes of data breaches, criminal attacks are now the number one cause,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Since first conducting this study, healthcare providers are starting to make investments to protect patient information, which need to keep pace with the growing cyber threats.”
A criminal attack is the deliberate attempt to gain unauthorized access to sensitive information, usually to a computer system or network, resulting in compromised data. Criminal attacks are often referred to as cyber-attacks, but can also include malicious insiders and/or paper medical files.
Medical records are greatly susceptible to threats and fraudulent activity because of the value of their information and because they are accessible at many points. The study indicates that medical files, as well as billing and insurance records, are the top stolen targets.
Since sensitive patient data can be easily transmitted and exposed, no organization is immune from data breach. Those especially vulnerable are healthcare organizations including hospitals, clinics, private or public healthcare providers—also referred to as “covered entities;” (CEs) and their “business associates,” (BAs) including patient billing, health plans, claims processing, and cloud services.
A business associate is a person or entity that performs services for a covered entity that involves the use or disclosure of PHI, according to the U.S. Department of Health & Human Services. Small to middle market organizations are at greater risk for data breach, as they have limited security and privacy processes, personnel, technology, and budgets compared to their enterprise or large corporate counterparts.
As part of everyday business, there are exponentially more security incidents than data breaches. Under federal law, all security incidents need to be assessed to determine if they are data breaches that require reporting. The study’s findings indicate that organizations are not thoroughly assessing their security incidents. In fact, one-third of the respondents do not have an incident response process in place.
Key findings of the research:
Data breaches in healthcare are rising
All healthcare organizations, regardless of size, are at risk for data breach. Ninety-one percent of healthcare organizations had one data breach; 39 percent experienced two to five data breaches; 40 percent had more than five data breaches over the past two years. In comparison, 59 percent of business associates experienced data breaches; 14 percent experienced two to five data breaches; 15 percent experienced more than five data breaches over the same period. Half of all healthcare organizations, both CEs and BAs, have little or no confidence that they have the ability to detect all patient data loss or theft. Data breaches are costing the healthcare industry $6 billion annually; the average economic impact of data breaches per organization is $2,134,800.
Criminal attacks are the new leading cause of data breach in healthcare
Criminal attacks in healthcare are up 125 percent compared to five years ago. In fact, now, nearly 45 percent of data breaches in healthcare are a result of criminal activity. The percentage of criminal-based security incidents is even higher; for instance, 78 percent of healthcare organizations and 82 percent of BAs had web-borne malware attacks. Yet, only 40 percent of healthcare organizations are concerned about cyber attacks.
Security incidents part of everyday business
Sixty-five percent of healthcare organizations and 87 percent of BAs experienced electronic information-based security incidents over the past two years, and approximately half of all respondents suffered paper-based security incidents. However, organizations lack the financial and personnel resources to protect patient information. More than half of healthcare organizations and half of BAs don’t believe their incident response process has adequate funding and resources. In fact, one third of respondents don’t have an incident response process in place. Healthcare organizations remain unsure if they have sufficient technologies and resources to prevent or detect unauthorized patient data access, loss or theft. In addition, the majority of them fail to perform a risk assessment for security incidents, despite the federal mandate to do so.
The threat of medical identity theft to breached individuals is growing; however, harms are not being addressed
According to the Ponemon/Medical Identity Fraud Alliance study, 2014 Fifth Annual Study on Medical Identity Theft, medical identity theft nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014. Yet, the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data further reinforces that the harms to individuals affected by a breach are not being addressed. Nearly two-thirds of both types of respondents do not offer any protection services for patients whose information has been breached.