An annual study on the privacy and security landscape in health care found that criminal attacks against organizations have replaced device theft and loss as the leading cause of data breaches.
According to the “Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data” published Thursday, 45 percent of healthcare organizations said that criminal attacks were the root cause of breaches, up from 40 percent in 2013.
Since 2011, lost and stolen devices were “consistently the top root cause” of breaches as reported by respondents, the study noted, revealing that “criminal attacks on healthcare organizations are up 125 percent compared to five years ago.”
Conducted by the Ponemon Institute and sponsored by ID Experts, the study entailed responses from 90 covered health care entities and 88 business associates, defined in the report as “a person or entity that performs services for a covered entity that involves the use or disclosure of protected health information (PHI), according to the U.S. Department of Health and Human Services.”
Among business associates (BAs), “unintentional employee action” was deemed the top root cause of data breaches, gleaning 51 percent of respondents' votes. Incidents described as “third-party snafus” followed closely with 49 percent of BAs votes (respondents were permitted more than one answer). Only, 39 percent of health care business associates said that criminal attack was the root cause of a data breach (compared to 45 percent of health care organizations).
To give readers a snapshot of the health care organizations participating in the study, the Ponemon Institute noted that more than 90 percent of entities experienced at least one data breach “involving the loss or theft of patient data in the past 24 months.” Over the two-year period, 40 percent experienced more than five data breaches, the study revealed.
Of note, more than half of business associates, 55 percent, said that billing and insurance records were the patient data most often successfully targeted by attackers, followed by payment details, which captured 41 percent of respondents' votes (who were permitted more than one response). As for healthcare organizations, 55 percent of respondents said that medical files contained the most valuable patient data and were most often successfully targeted, the study said. Forty-six percent of health care organizations said the same of billing and insurance records under attack.
While the average cost of a data breach to business associates was tallied at more than $1 million, the average cost for health care organizations was more than $2.1 million, the Ponemon Institute estimated.