Despite an increase in awareness about threats to patient data, the sixth annual survey of healthcare organizations by the Ponemon Institute suggests that the number and impact of data breaches are not declining. The survey found that 89 percent of responding organizations experienced data breaches, and the number of breaches tied to criminal attacks continues has reached 50 percent.
Seventy-nine percent of healthcare organizations experienced multiple data breaches (two or more) in the past two years—up 20 percent since 2010. More than one-third, or 34 percent, of healthcare organizations experienced two to five breaches. Nearly half of healthcare organizations, or 45 percent, had more than five breaches.
The thing that stuck out to me about the survey results was that the frequency of breaches is still very high at 89 percent,” said Rick Kam, president and CEO of ID Experts, a software and consulting firm that sponsors the survey. “It hasn’t changed much over the years, despite the investments and enforcement actions that Health & Human Services and the Office for Civil Rights have put in place. That is the most striking thing.”
Criminal attacks are up in 2016 and are, once again, the leading cause of data breach among healthcare organizations, causing half of all data breaches and causing 41 percent of data breaches among business associates (BAs). The most concerning cyber threats among the healthcare industry are ransomware, malware, and denial of service (DoS) attacks. DoS attacks have been around a long time but continue to be prevalent. Ransomware is the newest cyber threat and concern for 2016. “The type of malware being developed today is so much more sophisticated than the malware we analyzed as a research firm five or 10 years ago, said Larry Ponemon, chairman and founder of the Ponemon Institute. “I think there is going to be a wave of destructive malware. Ransomware is one type, but there may be other types that are equally bad. Things are going to get better, but healthcare is a target now. Health records are considered valuable information, so data exfiltration is probably going to be on the rise, and more organizations are going to fall victim to the destructive malware scenarios.” But as a result of all that, he added, there will be more efforts focused on fixes and new technologies developed.
Mistakes cause the other half of data breaches in healthcare. Based on the research, mistakes are classified as third-party snafus, stolen computing devices, and unintentional employee actions. The study found that other top concerns to patient data are employee negligence, mobile device insecurity, use of cloud services, malicious insiders, and a growing concern about mobile apps— up from 6 percent in 2015 to 19 percent this year.
Kam noted that it is not only mobile apps and new devices creating the increased attack vector. Older devices like MRI machines still using old Windows 95 operating systems are seen as security weak points on networks by criminals and targeted.
The lack of accountability is a big issue in the healthcare industry, with a lot of finger pointing going on, Kam said. The covered entities are pointing fingers at the business associates and vice versa, he said, for not doing enough to protect patient data. So what is a solution? “I look to the financial services industry with the Sarbanes-Oxley law that required C-level execs to attest to the accuracy of financial reports. We have a wonderful HIPAA and privacy and security rule, but we don’t make the executive team attest to the fact that they have reviewed the risk assessment, and made the appropriate investments in policy, technology and people to mitigate those risks. Add that one element, and the accountability issue would go a long way to being solved.”
Thirty-eight percent of healthcare organizations and 26 percent of BAs are aware of medical identity theft cases affecting their own patients and customers. Despite the known risks, 64 percent of healthcare organizations and 67 percent of BAs don’t offer any protection services for victims whose information has been breached. Fifty-eight percent of healthcare organizations and 67 percent of BAs do not have a process in place to correct errors in victims’ medical records. “When we first started doing this survey and asked about medical identity theft, people would shrug their shoulders and say what is that?” Ponemon said. “At least it is now on the radar screen, but that doesn’t mean they have a plan in place to help the victim. Medical ID theft seems to be an increasing issue, and someone has to be accountable for it.”