According to a Ponemon study, a staggering eighty-nine percent of healthcare organizations have suffered a data breach. The Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data conducted by the institute indicated that hospitals are fast becoming one of the most popular targets for cyberattacks.
For the second consecutive year, the study shows that hacking is the main cause of data compromise, up five percent on last year to 50%. Employee inattention, third-party security lapses and stolen devices account for the remainder. The study finds that the organizations and their business associates (BA) are lapse and negligent when handling patient information. Another point highlighted is the lack of resources to train employees concerning the threat of the next big thing: ransomware.
Data breaches have steadily risen since 2010, despite heightened coverage concerning attacks. Even with supplementary training, half of organization staff and more than half of BA say that they would probably be unable to detect a breach involving data loss. Currently, these incursions are costing $6.2 billion. ‘In the last six years of conducting this study, it’s clear that efforts to safeguard patient data are not improving. More healthcare organizations are experiencing data breaches now than six years ago,’ said Dr. Larry Ponemon, founder of the Institute.
The study also indicates: data breaches are consistently rising; 79% of organizations have suffered multiple (more than two) breaches in the last two years, while 34% have experienced 2 -5 breaches in that period. 45% had more than FIVE breaches of patient data. Medical records are the most often compromised, followed by billing details and insurance records. As most breaches of less than 500 records/documents are not reported to the Department of Health and Human Services (HHS), these figures could be much higher. Dr. Ponemon continues, ‘Negligence—sloppy employee mistakes and unsecured devices—was a noted problem in the first years of this research and it continues. New cyber threats, such as ransomware, are exacerbating the problem’.
While DoS attacks are prevalent, ransomware is the newest fear for 2016. The other concerning vulnerabilities Ponemon found were employee negligence; mobile device insecurity; cloud sevice use; malicious insiders and security weaknesses concerning ‘phone apps related to health services (eHealth). All of these can create an easy access route for ransomware.
Both the healthcare organizations and the BA are blaming each other for these terrible revelations. After the initial study six years ago, everyone seems astounded that no real investment has been made to improve security. This view is carried by 59% of the organizations, and 60% of BA.
Patients are suffering medical identity theft. This is recorded as being recognized by 38% of healthcare organizations and 26% of BA (that their patients’ records have been compromised). Medical identity theft involves a thief using the patient’s name to receive medical care. This changes a patient’s medical record and could have grave implications in an emergency. More worrying is that even if breaches are detected and admitted, 58% of healthcare organizations and 67% of BA do not have a process in place to correct errors on records created by medical fraud.