For the second consecutive year, Ponemon Institute's annual study on the state of security and privacy in healthcare found that cyber-crime was the leading cause of data breaches among hospitals and other medical providers.
According to the 'Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data,' 50 percent of surveyed healthcare providers named cyber-criminal attacks as the root cause of a data breach they experienced in the past two years, compared to 45 percent in the 2015 and as little as 20 percent when the survey first debuted in 2011. An error by a third-party party partner was the next most commonly cited cause, at 41 percent (respondents were allowed to cite multiple causes). Stolen computing devices ranked third at 39 percent.
“One hypothesis we have, and I think the data supports us over the last six years, is that there are more and more attacks from external sources,” said Larry Ponemon, chairman and co-founder of the Ponemon Institute.
Moreover, Ponemon found that 89 percent of surveyed healthcare providers experienced a data breach in the last 24 months, with 79 percent admitting to suffering a minimum of two breaches, holding steady from the previous year's report. Moreover, 45 percent admitted to having more than five breaches over the past two years, compared to 40 percent of respondents last year.
Ponemon estimates in its report that data breaches over the past two years have cost healthcare organisations an average of $2.2 million (£1.5 mil), and extrapolates that the industry as a whole lost $6.2 billion (£4.3 bil).
Employee negligence was the most commonly cited security threat that healthcare organisations expressed concern over (69 percent), followed by cyber-attacks (45 percent—a five percentage-point increase over the previous year.)
Delving deeper into the cyber-attack threat, Ponemon found that hospitals are most concerned about distributed denial of service (DDOS) attacks (48 percent), following by ransomware (44 percent) and malware (41 percent).
A 69-percent majority of healthcare organisations said they believe their industry is more vulnerable to data breaches than other business sectors. Among those who expressed this opinion, 51 percent said that one of the top two reasons is because they have not been not vigilant enough in ensuring that their third-party service providers are securely managing their sensitive data.
But perhaps this is changing: When asked how recent medical breaches have influenced their own security practices, 61 percent of healthcare organisations said they are now paying more attention to what kinds of data safeguards their third-party partners have in place.
The Ponemon Institute separately surveyed third-party partners that contract with healthcare organisations and asked why they think healthcare organisations are more vulnerable to breaches compared to other sectors. From a business partner perspective, 54 percent squarely laid the blame on healthcare employees themselves for being negligent in how they handle patient information, while only 32 percent said it was because healthcare organisations weren't adequately vetting third-party partners.
Ponemon noted that the employees in the healthcare field are often so preoccupied with administering timely and quality care, that IT security is not even close to top of mind. “When talking about things like protecting information, you get a glaze-eyed look” from many health employees, said Ponemon. “It's not really a security-oriented culture,” he added.
According to the survey, the types of files that were most often compromised among healthcare providers were medical files (64 percent) and billing and insurance records (45 percent). “This information can be used to commit not just one identity crime but many, including medical identify theft,” said Ponemon. “The value of medical records is many times more valuable than other kinds of information about individuals.”
Ponemon noted that medical imaging data can even be used to create fake visas and passports. “It's becomes a national security problem,” he said.
Of the respondents who confirmed that their healthcare organisations have both a security incident response plan and the in-house expertise to execute it, 56 percent said that more funding and resources were needed for the plan to truly be effective. Indeed, 77 percent of the organisations participating in the study said that they allocated 20 percent of less of their total security budget to incident response.