Healthcare Data Breaches From Cyberattacks
New Ponemon Report reveals just how hot healthcare data is for hackers.
Cybercriminals and nation-state actors are indeed targeting healthcare organizations for their valuable data: cyberattacks and physical criminal activity now have officially surpassed insider negligence as the main cause of a data breach in healthcare organizations.
The Ponemon Institute’s new Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, published today, found that close to 45% of all data breaches in healthcare are due to criminal activity such as cybercriminal and nation-state hacks, malicious insiders, and physical theft, a 125% increase in such activity over the past five years. That’s a first, since employee or insider negligence — user errors, lost laptops and thumb drives, etc. — accounted for the majority of breaches last year and in years past, according to Ponemon.
More than 90% of healthcare organizations surveyed by Ponemon in its report has suffered at least one data breach exposing patient data over the past two years, while 39% had been hit by two- to five breaches, and 40% had suffered more than five breaches during that timeframe. Security incidents (without an actual data breach) occurred at 78% of healthcare organizations.
About 45% of those breaches came via criminal attacks; 43% by lost or stolen computing devices; 40% via employee mistakes; and 12% via a malicious insider.
The cost of all of this healthcare breach-mania? Some $6 billion per year, with an average cost of $2.1 million per healthcare organization, according to the report, which was commissioned by ID Experts.
“For the first time, criminal attacks constitute the number one root cause [of data breaches], versus user negligence/incompetence or system glitches,” says Larry Ponemon, chairman and founder of Ponemon Institute. “Ninety-one percent had one or more breach in the last two years, and some of these are tiny, less than 100 records, but they are still not trivial.”
Healthcare organizations also are regularly battling security incidents, such as malware infections. Some 65% say they were hit with cyberattacks in the past two years, and half suffered incidents involving paper-based security incidents. They’re not confident in their incident response capabilities, either, with more than half saying their IR isn’t adequately funded or manned. And one-third don’t have an IR plan at all.
Lost and stolen devices were a problem at 96% of healthcare organizations in the study, as was spear phishing (88%).
The report also surveyed business partners and associates of healthcare organizations. Nearly 60% of these businesses — patient billing, claims processing, health plan, and cloud services, for example — had been hit by data breaches, 14% of which had suffered two- to five breaches, and 15%, more than five during a two-year period. More than 80% of them were hit by Web-based malware attacks.