“In the last six years of conducting the [Ponemon] study, it’s clear that efforts to safeguard patient data are not improving,” says Dr. Larry Ponemon, chairman and founder, Ponemon Institute.
“The Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data” published by the Ponemon Institute in 2016, confirms what many who work with electronic protected health information (ePHI) already know: Electronic information-based security incidents continue to plague the healthcare industry. Cyberattacks against healthcare organizations are growing in cost, and so are attacks against third-party vendors that store, transmit, or process ePHI.
What better time than now, in the new year, to reflect on the current state of your organizations’ cybersecurity, and use this research as fuel to improve upon your data protection efforts. Let’s review the most important takeaways of the study:
The State of Healthcare’s Data Privacy & Security
“For the sixth year in a row, data breaches in healthcare are consistently high in terms of volume, frequency, impact, and cost,” states Ponemon. “Nearly 90% of healthcare organizations represented in this study had a data breach in the past two years, and nearly half, or 45 percent, had more than five data breaches in the same time period.”
“Even with increased enforcement of HIPAA Rules by the HHS’ Office for Civil Rights, there is little accountability for breaches of patient health information,” remarks Rick Kam, CIPP/US president and co-founder of ID Experts, the study’s sponsor.
The more you acknowledge, research and address the issues, the faster you can move forward and better protect your ePHI. Before you begin to build a new strategy to protect your sensitive data or amend your existing plan, you must understand the obstacles you face.
Top Threats to the Privacy and Security of Your Healthcare Data
Just like 2015’s research, the study extended beyond healthcare organizations to include third-party vendors, identified as Business Associates (BAs). According to the U.S. Department of Health and Human Services, a BA is a person or company that provides services for a Covered Entity (CE) that transmits, stores, or processes ePHI. The decision to broaden the scope of the research to BAs was made to provide a more accurate picture of the state of cyberattacks on health information and to illustrate the fact that the security and privacy of health data are impacted by BAs as well as healthcare organizations (CEs.)
The survey shows that 89% of CE participants reported at least one data breach involving the loss or theft of patient data in the past 24 months, compared to 91% in 2015. However, 61% of BAs reported more than one data breach in the past 24 months, compared to 59% in 2015.
The study cites criminal attacks as the top cause of data breaches, with 50% of CEs reporting a criminal attack as the cause of their breach, up from 45% in 2015. Forty-one percent of CEs described security incidents due to third-party situational normal, all fouled up (SNAFU), compared to 43% in the previous year. Thirty-nine percent of respondents reported breaches as a result of a stolen computing device in 2016, while 13% of CEs responding described an incident due to a malicious insider.
Source: The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data
BAs report a multitude of root causes for electronic information-based security incidents. In the 2016 study data, 55% of BAs reported data breaches due to unintentional employee action, compared to 51% in 2015. Fifty-two percent of breaches were attributed to third-party SNAFU compared to 49% in 2015.
In 2016’s study 41% of BAs reported criminal attack as the cause of data breaches, up from 39% in 2015.
The True Costs of a Data Breach May Be Higher Than You Think
“Data breaches in healthcare are costing the industry $6.2 billion, and remain consistently high…and have yet to decline since 2010—despite a slight increase in awareness and spending on security technology,” according to ID Experts.
The average consolidated total cost of a data breach grew from $3.8 million to $4 million, according to the “2016 Ponemon Cost of Data Breach Study,” which also reported that the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158. “The overall costs include fines levied by the federal government as well as instituting business continuity and incident response plans, employee training, and hiring a CISO,” says Bernie Monegain, for Healthcare IT News.
Healthcare Organizations Are Not Spending Enough on Mitigation
The media attention given to healthcare data breaches has shed light on the importance of ePHI protection and the impact of data breaches on an organization. Sixty-seven percent of CEs and 62% of BAs reported that the highly-publicized breaches have impacted security protocol, causing both types of organizations to practice heightened surveillance in protecting patient data. Data breaches in the healthcare industry continue to grow, with November 2016 showing a record high number for the year to date, according to the monthly Breach Barometer from Protenus, the world’s leading proactive patient privacy analytics platform.
However, despite the increased awareness and heightened vigilance, the study respondents reported little growth in the percentage of budgets allocated to technology, privacy and security budgets and staff with technical expertise. According to the study, CEs report budgets have decreased (10%) or stayed the same (52%). Similarly, most business associates must deal with budgets that decrease (11%) or stay the same (50%).
The annual economic impact of a data breach has risen over the past six years, as has the frequency of data breaches. Criminal attacks and internal threats are the leading cause of data breaches. Evolving cyber attack threats such as ransomware and malware are of primary concern.
“The irony is that information technology and data in healthcare are clearly critical to the mission of providing care, yet data security is an afterthought,” remarks Mac McMillan, chair of the HIMSS Privacy & Security Policy Task Force, writing for HIT Consultant. It is unreasonable to expect your organization to be protected if you have not invested in the proper technologies, policies and procedures.
Among other key findings detailed in the Ponemon report are the statistics relating to the types of cyber attacks respondents are most concerned about, with Denial of Service (DDoS) listed as the top concern among both CEs and BAs. There is also a notable discussion regarding the types of incidents covered under data breach insurance policies, and the investigative costs and the satisfaction levels CEs and BAs report with their cyber insurance.
Will You Take a Reactive or Proactive Approach?
As the report concludes, “Once again, criminal attacks are the leading cause of data breaches in healthcare. Internal problems such as mistakes—unintentional employee actions, third-party SNAFUs, and stolen computing devices—account for the other half of data breaches. In 2016, ransomware, malware, and denial-of-service (DOS) attacks are the top cyber threats facing healthcare organizations.”
It’s unknown what new threats 2017 will bring, but the report’s results are clear: Healthcare organizations are in dire need of better protection through technology and security expertise, and a broad application of innovative solutions. Government programs and policies—from the FDA and the HHS for example—have started to improve the landscape, but have a long way to go. Healthcare data privacy and security continues to be in your hands. Will you join the 30% of healthcare organizations that committed to investing more time, money, and resources into proper IT security planning in order to protect your organization’s data?
Because OnRamp specializes in high security hosting and HIPAA compliance, our team can help you develop a secure IT infrastructure—ask us how.
Regular PHI Access Log Audits Can Prevent Major PHI Breaches
4 Actionable Policies for a Stronger Information Security Posture
HIPAA Security and Awareness Training: An Integral Part of the Compliance Strategy