Several alarming results were found in the 2015 Benchmark Study on Privacy & Security of Healthcare Data published by Ponemon on Thursday. Over 90 percent of healthcare organizations had a data breach and 40 percent had over five incidents in the last two years. Based on the results, the researchers estimate that the industry could be losing as much as $6 billion. This is up from last year’s Ponemon estimate of $5.6 billion.
In five years of issuing this report, this is the first time that cybersecurity problems became the number one cause of data breaches. Although lost devices and employee negligence are still factors, 45 percent of the organizations said that the “root cause of the data breach was a criminal attack.” Seventy-eight percent said that criminal security incidents are even higher: “for instance, web-borne malware attacks caused security incidents for 78 percent of healthcare organizations…” The healthcare industry is the most vulnerable to cyber attacks.
Despite a relatively small sample size, this data reflects what has been happening in the healthcare industry over the last year. Anthem, Premera and Community Health Systems all experienced major breaches in the last year resulting in the exposure of over 100 million patient accounts. What’s even more disturbing is that “[d]espite the changing threat environment…organizations are not changing their behavior—only 40 percent of healthcare organizations and 35 percent of BAs are concerned about cyber attackers,” said the report.
Fortunately most of the organizations (69 percent) have an incident response process in place but over half agreed they need more funding to make it effective. Most organizations budget less than 20 percent of the security budget to incident response.
“…[L]ess than half (49 percent) are very confident and confident they have the ability to detect all patient data loss or theft,” indicating a strong need for a change to current procedures to protect patient data.
Hosting providers such as Atlantic.net, Connectria and ViaWest are attempting to help the industry by offering HIPAA compliant services. It’s not clear though whether these services actually increase the security of patient data.