Until recently insider negligence accounted for the majority of healthcare breaches, but the Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data conducted by the Ponemon Institute reveals this is no longer the case.
- 45% of healthcare data breaches are caused by criminal activity including cybercriminal activity, malicious insiders and physical theft. There has been an increase of 125% of this type of activity over the past five years.
Additional data from the survey also showed that 90% of healthcare organizations have suffered at least one data breach over the past two years that exposed patient data. 40% of organizations actually had more than five breaches in the same timeframe and 78% suffered security incidents, but without actual breach.
- The breakdown of the cause for breach is: 45% via criminal attacks, 43% lost or stolen devices, 40% employee mistakes and 12% malicious insider.
- Larry Ponemon adds that out of the 91% of organizations that have had one or more breach in the past two years a portion include tiny breaches of less than 100 records, but that this doesn’t mean they are any less important than mega breaches.
In addition, healthcare organizations also battle security incidents such as malware infections and paper-based incidents. Even more concerning is that the study found that organizations don’t feel confident in their incident response capabilities.
- More than half of organizations say their IR isn’t adequately funded or manned.
- One-third says that they don’t have an IR plan at all.
Other highlights from the Ponemon report include the problem healthcare organizations have with lost and stolen devices (96%) and 88% of them have problems with spear phishing. Unfortunately, business partners and associates of healthcare organizations aren’t doing much better.
- 60% of healthcare partners and associates had been hit by data breaches.
- 14% suffered two to five breaches during a two year period.
- 15% more than five during a two year period.
- 80% were hit by Web-based malware attacks.
The report goes on to include that the average cost of breaches for healthcare organizations is $2.1 million per organization and about $6 billion per year total. Also important to note is the value healthcare records have for criminals (patient’s health credentials can bring in as much as $10.00 versus credit card data that goes for a dollar or less).
With all this data on the status of security for healthcare organizations or better yet, the breaches and security incidents they’ve confronted in the past years and the costs that come from the incidents, one has to wonder when a holistic security posture will become a priority for the industry, for healthcare providers, partners and associates.
Not feeling confident in your IR plan and not having one (at all) in this time and age is a big indicator that there’s a lag in priorities for organizations on keeping healthcare data secure. The reasons why can be understandable (i.e. budget, resources) up to a certain point, but when the costs of breach could bring danger to your organization and patients, there are no longer valid excuses.
The investment in a holistic security posture is one with a definite ROI: the success of your organization, an increased value and trust in your company within the industry and in the eyes of your customers, and above all, an effective risk management process that will keep your data and your patient’s data away from harm’s way.
Are you ready to become an organization that cares about the “Why” of your information security?
Photo courtesy of Tashatuvango