We’ve been talking a lot this year about the surge in data breaches plaguing the healthcare industry. So it comes as no surprise that a recent study by Ponemon Institute found that the increase has cost the industry about $6.2 billion.
While the majority of breaches are small at under 500 records, and are not publicly reported, the financial impact is significant. The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data revealed nearly 90% of all healthcare organizations suffered at least one data breach in the past two years with an average cost of $2.2 million per hack.
Healthcare data breaches have increased in volume, frequency, severity and cost, despite a slight increase in awareness and spending on security technology. Seventy-nine percent of healthcare organizations experienced multiple data breaches (two or more) in the past two years—up 20 percent since 2010. More than a third of the organizations surveyed experienced two to five breaches, and a shocking 45% reported that they experienced at least five data breaches within two years.
“In the last six years of conducting this study, it’s clear that efforts to safeguard patient data are not improving. More healthcare organizations are experiencing data breaches now than six years ago,” said Ponemon Institute Chairman and Founder Larry Ponemon, PhD. “Negligence—sloppy employee mistakes and unsecured devices—was a noted problem in the first years of this research and it continues. New cyber threats, such as ransomware, are exacerbating the problem.”
Other Key Findings:
- Criminal attacks are the biggest cybersecurity threat. Criminal attacks caused half of all data breaches among healthcare organizations (mistakes caused the other half). Respondents rated distributed denial-of-service (DDoS) attacks as their biggest worry (48%), followed by ransomware (44%), malware (41%), phishing (32%), advanced persistent threats (16%), rogue software (11%), and password attacks (8%). The study found that other top concerns are employee negligence, mobile device insecurity, use of cloud services, and malicious insiders. There is also a growing concern about mobile apps — up from six percent in 2015 to 19 percent this year.
- The healthcare industry is more vulnerable to data breaches. Healthcare organizations believe they are more vulnerable to data breaches than other industries. This is attributed to the huge volume of valuable data these organizations store, the common lack of a strong security infrastructure, and the high number of endpoints (accessed by multiple employees and third parties). Respondents listed employee negligence in the handling and protection of patient information as well a lack of security technology as major concerns, with 59 percent of healthcare organizations feeling their organization’s security budget is insufficient to mitigate against data breaches.
- Patients are suffering the consequences of these data breaches. The most commonly exposed data in these breaches are medical records, followed by billing and insurance records, and payment information. Medical files and billing and insurance records were targeted in 64 percent of attacks, up from 45 percent. Nearly 40 percent of providers say they are aware of medical identity theft incidents affecting their patients and customers, but almost two-thirds of healthcare organizations don’t offer credit protection services for victims and don’t have procedures in place to correct errors in medical records. As the Ponemon report notes, medical identity theft can include information such as prescriptions for medication, blood type and other information that could risk a patient’s health or life if compromised.
Criminals pay ten times more for personal health records than they do for stolen credit cards. The reason? The information contained in a person’s medical file runs so deep that identity theft is markedly easier.
SLPowers compliance experts live, sleep, and breathe HIPAA HITECH. They know the industry, they know how the bad guys operate, and they can keep you both compliant and more secure. Give us a call.