By Bill Siwicki | May 11, 2016
Half are caused by criminal cyber attacks, half by human error.
Nearly 90 percent of healthcare organizations have experienced data breaches, and for the second year in a row criminal attacks are the leading cause of breaches in healthcare, according to the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data.
Fifty percent of data breaches in healthcare in 2016 are caused by criminal attacks, while the other 50 percent are caused by mistakes, such as unintentional employee actions, third-party snafus and stolen computers, according the Ponemon study, which was sponsored by security vendor ID Experts.
The findings indicate many healthcare organizations and their third party business associates are negligent in the handling of sensitive patient information and lack the budget, people and expertise to manage data breaches caused by employee negligence and evolving cyber-threats.
Data breaches in healthcare remain consistently high in terms of volume, frequency, impact and cost despite a slight increase in awareness and spending on security technology. And while recent large healthcare data breaches have heightened the industry’s awareness of growing threats to patient data and have led to an improvement in security practices and policy implementation, study respondents say that not enough is being done to curtail or minimize risks.
Nearly half of healthcare organizations – and more than half of business associates – have little or no confidence they can detect all patient data loss or theft, the Ponemon Institute study found.
“In the last six years of conducting this study, it’s clear that efforts to safeguard patient data are not improving – more healthcare organizations are experiencing data breaches now than six years ago,” said Larry Ponemon, chairman and founder of the Ponemon Institute.
“Negligence – sloppy employee mistakes and unsecured devices – was a noted problem in the first years of this research and it continues,” he said. “New cyber-threats, such as ransomware, are exacerbating the problem.”[Also: Ponemon report shows healthcare security increasingly at risk]
What’s more, 60 percent of business associates have experienced data breaches during the past two years, according to Ponemon, and medical records are the most commonly exposed data, followed by billing and insurance records, and payment details.
The newest healthcare cyberthreat for 2016 is ransomware. So it follows that the most concerning cyber-threats among healthcare executives are ransomware, malware and denial of service attacks. Other top concerns to patient data are employee negligence, mobile device insecurity, use of cloud services, malicious insiders and a growing concern about mobile apps.
Healthcare organizations believe they are more vulnerable to data breaches than other industries because many have massive amounts of valuable data and often lack a strong security infrastructure and sense of accountability.
“This is about real people and the exposure of their sensitive information,” said Rick Kam, U.S. president and co-founder of ID Experts. “The lack of accountability is a big issue in the healthcare industry, with a lot of finger-pointing going on. To get a better handle on internal data threats, healthcare organizations can start by getting back to basics with employee training, mobile device policies, regular data risk assessments and enforceable internal procedures.”