According to the ITRC, there were 277 reported data breaches in healthcare during 2015, which accounted for 35.5% of all data breaches recorded in the US last year. While the number of data breaches in healthcare came second to the business sector, the data breaches in healthcare nonetheless accounted for 67% of all breached records - over 112 million breached records. Healthcare data breaches are now larger than ever before, a troubling thought given the rising cost of data breaches, which are the highest for healthcare.
Verizon recently reported that half of Americans have had their healthcare records compromised since 2009 and the IDC predicts that one in three Americans will have their healthcare records compromised by cyberattacks in the coming year alone. The healthcare industry sees 340% more security incidents and attacks than the average industry, according to research from Raytheon|Websense Security Labs, so it’s clear that the high value of healthcare data, and the growing centralization of healthcare data, is making it an attractive target for thieves.
Mark Wilson recently wrote an article on Forbes challenging healthcare organizations to learn from 2015 mistakes, which include some common themes we’ve talked about this year including a mistaken belief that compliance is enough, BYOD devices often left unsecured, and the need to prioritize security across the whole organization, recognizing that employees are the weakest link.
Verizon’s report revealed that the primary action of cyber attack is theft or loss of portable devices (laptops, tablets, thumb drives) followed by human error and finally misuse / malicious insiders. Together, these three actions make up 86% of all breaches of PHI, re-enforcing the need for accurate risk-based analysis and security planning. A look at the HHS database of breaches for this year shows a litany of data breaches still tied directly to the theft of devices (more than 20%), with the endpoint - as shown above - likely tied in with further network breaches.
The healthcare industry has a long way to go to regain control over data, but creating a strong culture of security, focusing on the endpoint and protecting data, at rest and in transit, can go a long way to shoring up the weakest points. In our whitepaper, Best Practices for Healthcare Data Breach Prevention, we discuss many specific ways you can achieve data protection and go beyond compliance, including policy, process and layered-technology defences.
As part of your preparedness, we recently launched Absolute DDS for Healthcare, a comprehensive onboarding program which pairs the highest level of endpoint security with expert forensic support to respond to and contain security incidents. Learn more at Absolute.com