Healthcare Organizations Unprepared to Detect or Mitigate Breaches: Ponemon Study

By: Arieanna Schweber | 5/13/2015

The Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, compiled by Ponemon Institute on behalf of ID Experts, shows the evolution of healthcare data breaches that reflect the increased value of healthcare data. The reality is that healthcare data is so valuable now that cybercriminals have shifted their attacks to the healthcare industry, making criminal attacks the top threat to healthcare data. Though this sounds terrifying, the good news is that people, process and technology are still at the core of preventing these kinds of data breaches from happening.

trends-healthcareThe 2015 study expands beyond healthcare organizations to also include business associates, now covered under HIPAA, and offers a broader perspective on the entire healthcare industry. The research shows that security incidents are happening all the time in the healthcare industry, to organizations and business associates alike, but that organizations have little confidence in their ability to prevent or detect such incidents.

Key takeaways from the study:

  • 91% of healthcare organizations had one data breach over the past 2 years; 40% suffered more than 5 data breaches in the past 2 years
  • 96% of healthcare organizations had a security incident involving lost or stolen devices (95% for business associates)
  • Criminal attacks in healthcare are up 125% since 2010, now the leading cause of data breaches
  • 65% of healthcare organizations had multiple security incidents in the past 2 years involving the exposure, theft or misuse of electronic information
  • Exploits of known vulnerabilities continue to plague the industry, with 54% of organizations experiencing an incident based on a known vulnerability greater than 3 months old (so quick patching is an issue)
  • One third of respondents lack an incident response process, leading researchers to suspect that not all data breaches are being identified
  • Less than half of respondents perform a 4-factor risk assessment following security incidents, as required under the HIPAA Omnibus Final Rule
  • Medical identity theft nearly doubled in 5 years, from 1.4 million adult victims in 2009 to over 2.3 million in 2014. Victims are also at risk of financial identity theft with many PHI breaches, as they contain payment information

The research indicates that not only are healthcare data breaches occurring at an alarming rate, they are also going undetected. Half of the healthcare organizations and business associates surveyed have little or no confidence they have the ability to detect all patient data loss or theft. The average impact of data breaches per organization is over $2 million, costing the industry over $6 billion per year. Healthcare can no longer afford the mistakes that lead to data breaches, nor the mistakes that allow them to go undetected.

Although cyberattacks now dominate in the healthcare industry, the root cause of these attacks is quite varied. Employee mistakes, phishing, stolen credentials, lost devices, improper behaviour, unpacked systems - these incidents, often caused by decisions or mistakes made by people, give opening to a cyber attack. Right now, 45% of data breaches at healthcare organizations are attributed to criminal attacks, while 43% are attributed to lost or stolen computing devices - the reality, however, is that a criminal attack works based on some other vulnerability, which may be tied back to employees in some way that remains undetected.

For more on how Absolute Software can aid in your healthcare data protection, in protecting data and supplying tools to detect security incidents, visit our website or read our recent article on the “Top Tips for Keeping Patients’ Healthcare Data Protected.”

Financial Services