According to the results of a recent survey of senior-level personnel at 91 healthcare providers and 84 business associates that handle protected health information (PHI) for healthcare organizations, fully 89 percent of healthcare organizations and 60 percent of business associates have experienced data breaches in the past two years.
The Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, sponsored by ID Experts, also found that 79 percent of healthcare organizations experienced two or more data breaches in the past two years, and 45 percent experienced five or more breaches.
The most commonly exposed data are medical records, followed by billing and insurance records and payment information.
Half of all data breaches in healthcare, the study found, are caused by criminal attacks, and the other half are caused by mistakes — unintentional employee actions, third-party errors and stolen computer devices.
Over the past two years, the average cost of a data breach for healthcare organizations is estimated to be more than $2.2 million, and the average cost of a data breach to business associates is more than $1 million.
Still, almost half of all healthcare organizations, and more than half of all business associates, have little or no confidence that they can detect all patient data loss or theft. In fact, 60 percent of business associates and 59 percent of healthcare organizations don’t think their organization’s security budget is sufficient to curtail or minimize data breaches.
And while 38 percent of healthcare organizations and 26 percent of business associates are aware of medical identity theft cases affected their own patients and customers, 64 percent of healthcare organizations and 67 percent of business associates don’t offer any protection services for victims whose information has been breached.
“In the last six years of conducting this study, it’s clear that efforts to safeguard patient data are not improving,” Ponemon Institute chairman and founder Dr. Larry Ponemon said in a statement. “More healthcare organizations are experiencing data breaches now than six years ago.”
“Negligence — sloppy employee mistakes and unsecured devices — was a noted problem in the first years of this research and it continues,” Ponemon added. “New cyber threats, such as ransomware, are exacerbating the problem.”
When asked what type of security incident worries them the most, 69 percent of healthcare organizations listed negligent or careless employees, followed by cyber attackers (45 percent) and the use of insecure mobile devices (30 percent).
A separate Skycure study, based on millions of monthly security tests between October and December of 2015, found that 27.79 million devices with medical apps installed on them may also be infected with high-risk malware.
The Skycure study also found that 11 percent of mobile devices running an outdated operating system with high-severity vulnerables may have patient data stored on them, and 14 percent of mobile devices holding patient data appear to have no passcode to protect them.
“Hackers have a giant bullseye on the healthcare sector right now, because they know that many organizations still rely on simplistic, dated approaches to cybersecurity,” Axcient CEO Justin Moore told eSecurity Planet by email. “Fact is, many organizations have already been breached, and the only way to both prevent and withstand attacks is by taking a multilayered approach.”
“IT resiliency today involves implementing protections for the organization, protecting related communities and supply chains from attack and then stopping existing attacks before they become breaches,” Moore added. “Until CIOs hit all three objectives, they’ll remain easy pickings for hackers.”
A recent eSecurity Planet article offered advice on securing corporate data in a post-perimeter world.