According to a recent study conducted by the Ponemon Institute and sponsored by ID Experts, 91 percent of healthcare organizations have suffered at least one data breach in the past two years, 39 percent have experienced two to five data breaches, and 40 percent have suffered more than five.
The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data also found that criminal attacks in the healthcare sector are up 125 percent since 2010.
“We are seeing a shift in the causes of data breaches in the healthcare industry, with a significant increase in criminal attacks,” Ponemon Institute chairman and founder Dr. Larry Ponemon said in a statement. “While employee negligence and lost/stolen devices continue to be primary causes of data breaches, criminal attacks are now the number one cause.”
“Since first conducting this study, healthcare providers are starting to make investments to protect patient information, which need to keep pace with the growing cyber threats,” Ponemon added.
Still, the study found, half of all healthcare organizations have little or no confidence that they have the ability to detect all patient data loss or theft, and more than half don’t believe their incident response process has adequate funding and resources.
One third of respondents don’t even have an incident response process in place.
And according to the study, data breaches could be costing the healthcare industry as much as $6 billion per year.
“Cyber criminals recognize two critical facts of the healthcare industry: 1) healthcare organizations manage a treasure trove of financially lucrative personal information and 2) healthcare organizations do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect patient data,” the report states.
Still, PFU Systems security expert Carmine Clementelli told eSecurity Planet by email that there are three key steps healthcare organizations can take to protect personal health information (PHI): prevention, self assessment and hygiene.
“Prevention is as key to data security as it is to health, and new proactive monitoring works in concert with existing policies and systems to ensure the safety of BYOD, and let hospitals and health-sector organizations manage who and what is on the network, without introducing network complexity or constricting personnel policies,” Clementelli said.
“Self assessment — in terms of next gen security — includes behavioral traffic analysis and advanced intrusion prevention to monitor the network’s health, and detect the viruses and malware that thieves use,” Clementelli added. “The third step is basic hygiene. Fortunately, managing applications, permission policies and risk levels at the data and subnet levels is easier for IT than it’s ever been, thanks to breakthroughs over the last year.”