Each year, the Ponemon Institute conducts a benchmark survey on healthcare data privacy and security. The surveys give a picture of the state of healthcare data security, highlight the main threats faced by the healthcare industry, and offer an insight into the main causes of healthcare data breaches. This week, the Ponemon Institute released the results of its 6th annual benchmark study on healthcare data privacy and security.
Over the past 6 years, the main causes of healthcare data breaches have changed considerably. Back in 2010/2011 when the two healthcare data privacy and security surveys were conducted, the main causes of healthcare data breaches were lost and stolen devices, third party errors, and errors made by employees.
Breaches caused by the loss and theft of unencrypted devices such as laptops, smartphones, tablets, and portable storage devices such as zip drives has fallen considerably in recent years. Due to the high risk of loss and theft – and the cost of risk mitigation following a data breach and compliance fines – healthcare organizations are keeping tighter controls on portable devices. Staff have been trained to be more security conscious and many healthcare organizations have chosen to use data encryption on portable devices. However, lost/stolen devices and mistakes by employees and third parties are still the root cause of 50% of healthcare data breaches.
Healthcare Data Privacy and Security Study Shows Criminals Caused 50% of Healthcare Data Breaches
Data breaches caused by the loss and theft of portable devices may be in decline, but the same cannot be said of cyberattacks, which have increased considerably. When the first benchmarking study was conducted in 2010, 20% of data breaches were caused by hackers and other cybercriminals. By 2015, the figure had risen to 45%. This year criminals have been responsible for 50% of healthcare data breaches.
Healthcare data breaches have increased in volume, frequency, and severity. Prior to 2015, the largest healthcare data breach exposed 4.7 million patient health records. Data breaches that exposed more than 1 million healthcare records were very rare. However, in 2015, the Anthem Inc. breach exposed 78.8 million healthcare records, Premera BlueCross recorded a cyberattack that exposed 11 million records, and Excellus Blue Cross Blue Shield reported a breach of 10 million records. These data breaches were caused by criminals who gained access to systems using phishing techniques.
Phishing remains a major cause for concern, as is malware, although over the course of the past 12 months a new threat has emerged. Ransomware is now the second biggest cause for concern for healthcare security professionals. DDoS attacks remain the biggest worry as far as cyberattacks are concerned.
The purpose of ransomware and DDoS attacks is to cause widespread disruption. Healthcare IT professionals are right to be concerned. Both of these types of cyberattack have potential to have a hugely detrimental effect on the care that is provided to patients, potentially disrupting healthcare operations to such a degree that patients can actually come to physical harm.
Healthcare organizations have been investing more heavily in data security technologies to prevent breaches, yet these measures have not been sufficient to stop breaches from occurring. The report indicates that 89% of healthcare organizations suffered a data breach in the past two years, 79% suffered more than one breach, and 45% experienced more than five data breaches.
The cost of healthcare data breaches is considerable. The Ponemon Institute calculates the average cost to resolve a data breach to be $2.2 million for healthcare providers. The average cost of a business associate data breach is $1 million. The total cost each year, to mitigate risk and resolve data breaches, has been estimated by Ponemon to be $6.2 billion for the industry as a whole.
Healthcare Organizations Need to Increase Cybersecurity Efforts
Cybersecurity budgets may have increased over the years, but too little is being spent on healthcare data privacy and security data. Even with the increased risk, 10% of healthcare organizations have actually decreased their cybersecurity budgets, and more than half (52%) said their budgets have stayed the same this year.
Further investment is needed to tackle the growing threat and to prevent criminals from gaining access to data and locking it with ransomware.
Education also needs to be improved and greater care taken by healthcare employees to prevent accidental disclosures of data and mistakes that open the door to cybercriminals. Employee negligence was rated as the top cause for concern by both healthcare providers and business associates of healthcare organizations. Unless greater care is taken to prevent data breaches and healthcare organizations are held more accountable, the data breach totals will only rise.