A new report released by Ponemon Institute paints a dismaying picture in healthcare data security. It reveals an industry that’s not only under increasing attack by cyber criminals and malicious insiders, but also a sector populated by organizations without the funding, resources, and preparation necessary to prevent security incidents and properly protect patients’ sensitive information.
Unlike previous studies, which focused solely on covered entities, business associates are also included in this latest research. The addition of business associates provides important perspective on how third-party relationships influence the privacy and security of patient data.
Breach rates continue to go up
One finding that’s particular worrisome is that far too many healthcare organizations have experienced multiple security incidents. While more than 90 percent of respondents said they had faced a data breach, 40 percent reported they had suffered more than five breaches, a figure that should be a wakeup call to everyone in the industry.
Additionally, it’s clear that the growing reliance on electronic health records and online platforms such as patient portals are clearly outpacing companies’ use of adequate protection measures. But with all the focus on digital data security, the Ponemon study shows that hard copy records continue to be in jeopardy, too. Fifty-four percent of healthcare organizations and 41 percent of business associates reported experiencing paper-based security incidents.
These growing breach figures translate into growing costs, with Ponemon estimating the industry has spent $6 billion on data breaches.
Breach trends paint a disturbing picture
For the very first time, criminal attacks have topped the list of culprits behind healthcare data breaches. Nearly half (45 percent) of healthcare organizations reported that criminal attacks were the root cause of their breach. Malicious insiders—another significant concern in healthcare, where highly sensitive personal data exists in enormous volumes—were cited in 12 percent of breaches.
Malware attacks were to blame for security incidents at 78 percent of healthcare organizations and 82 percent of business associates. The continued effectiveness of such a well-understood threat vector is concerning. Ponemon’s research shows that, despite a threat landscape that continues to evolve, companies in the healthcare sector don’t seem to be improving their security posture or modifying their behavior. Though the sector has been faced with a litany of recent healthcare breach headlines, only 40 percent of healthcare organizations and 35 percent of business associates reported they were concerned about cyber attackers.
A look at what’s lacking
What may be most surprising about the findings of the Ponemon study is what organizations aren’t doing. It appears far too few healthcare firms have what they need to adequately protect patient data. A full 56 percent of healthcare organizations and 59 percent of business associates reported their incident response process lacked adequate funding and resources.
Privacy concerns must be made a higher priority in the healthcare sector. The majority of firms, whether covered entities or business associates, said they didn’t even perform the federally-mandated risk assessments for security incidents. Protecting patient data won’t become any easier as cyber thieves and malicious insiders continue to pursue the growing value of medical data—healthcare records reportedly fetch nearly 10 times as much as credit card numbers on the black market. If there’s one takeaway from Ponemon’s research, it’s that covered entities and business associates must work toward better privacy protections in an ever-evolving cyber threat environment.
Eduard Goodman is chief privacy officer at CyberScout.