In the fifth year of its annual survey about privacy and security issues facing healthcare organizations, the Ponemon Institute found that for the first time providers reported that the No. 1 root cause of their data breaches was criminal and malicious attacks, surpassing mistakes and employee negligence.
“Criminal attacks are up 125 percent compared to five years ago” among survey respondents, said Larry Ponemon, chairman and founder of the Ponemon Institute. In fact, 45 percent of healthcare organizations surveyed said the root cause of the data breach was a criminal attack and 12 percent said it was due to a malicious insider, he added.
For the first time, Ponemon included business associates (BAs) in the survey. In the case of BAs, 39 percent said a criminal attacker caused the breach and 10 percent said it was due to a malicious insider.
Ponemon surveyed representatives of 90 healthcare organizations and 88 business associates in February and March 2015. The study also looked beyond data breaches to other types of cyber incidents such as denial-of-service attacks and malware infections. Seventy-eight percent of healthcare organizations and 82 percent of BAs reported experiencing web-borne malware attacks. Eighty-eight percent of providers reported cases of spear phising.
“Looking at the big picture, organizations are continuing to struggle with their responsibilities to protect sensitive and confidential information,” Ponemon said. “One reason is that a lot of organizations lack the resources to get that job done,” he said. Fifty-six percent of providers and 59 percent of BAs thought their resources were inadequate to the task. “It has been an issue for five years,” he said. “If anything, it has gotten a little bit better, but we still have a long way to go.”
Ponemon noted that the rate of data breach is remarkably high, with 91 percent of providers experiencing one or more breaches in the last year, and 40 percent of respondents had more than five data breaches over the past two years. “Some of these data breaches could be very small events, less than 100 records, but they are still a big event for the patient whose data is exposed,” he said.
Speaking about the increase in criminal attacks, Rick Kam, co-founder of ID Experts, a software and services firm that sponsors the annual Ponemon study, said the FBI has been increasingly warning the healthcare industry about cyberattacks. “Medical records on the black market are worth somewhere between $60 and $70 as opposed to 50 cents or a dollar for a social security number or credit card number,” he said. “There is a real stimulus for criminal organizations that exist in Eastern Europe, Russia, China and Iran to go after and compromise these organizations to get access to that data.”
A few more bullet points from the survey results:
• In the past two years, healthcare organizations spent an average of more than $2 million to resolve the consequences of a data breach involving an average of almost more than 2,700 lost or stolen records.
• When healthcare organizations were asked what type of security incident worries them most, 70 percent said the negligent or careless employee. This is followed by 40 percent of respondents who said cyber attackers and 33 percent who said it is the use of public cloud services. Insecure mobile apps and insecure medical devices are the least problematic (13 percent and 6 percent of respondents, respectively).
• Fifty-eight percent of healthcare organizations surveyed agree that policies and procedures are in place to effectively prevent or quickly detect unauthorized patient data access, loss or theft. However, less than half (49 percent) agreed that they have sufficient technologies, and only 33 percent agree they have sufficient resources to prevent or quickly detect a data breach.
• Slightly more than half (53 percent) of organizations surveyed said they have personnel with the necessary technical expertise to be able to identify and resolve data breaches involving the unauthorized access, loss or theft of patient data.
• Most healthcare organizations surveyed have an incident response process in place. Sixty-nine percent have a process with involvement from information technology, information security and compliance. However, 56 percent of respondents say more funding and resources are needed to make it effective.