For the second consecutive year, Ponemon Institute's annual study on the state of security and privacy in health care found that cybercrime was the leading cause of data breaches among hospitals and other medical providers.
According to the “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data,” 50 percent of surveyed health care providers named cybercriminal attacks as the root cause of a data breach they experienced in the past two years, compared to 45 percent in the 2015 and as little as 20 percent when the survey first debuted in 2011. An error by a third-party party partner was the next most commonly cited cause, at 41 percent (respondents were allowed to cite multiple causes). Stolen computing devices ranked third at 39 percent.
“One hypothesis we have, and I think the data supports us over the last six years, is that there are more and more attacks from external sources,” said Larry Ponemon, chairman and co-founder of the Ponemon Institute.
Moreover, Ponemon found that 89 percent of surveyed health care providers experienced a data breach in the last 24 months, with 79 percent admitting to suffering a minimum of two breaches, holding steady from the previous year's report. Moreover, 45 percent admitted to having more than five breaches over the past two years, compared to 40 percent of respondents last year.
Ponemon estimates in its report that data breaches over the past two years have cost health care organizations an average of $2.2 million, and extrapolates that the industry as a whole lost $6.2 billion.
Employee negligence was the most commonly cited security threat that healthcare organizations expressed concern over (69 percent), followed by cyber attacks (45 percent—a five percentage-point increase over the previous year.)
Delving deeper into the cyberattack threat, Ponemon found that hospitals are most concerned about distributed denial of service (DDOS) attacks (48 percent), following by ransomware (44 percent) and malware (41 percent).
A 69-percent majority of health care organizations said they believe their industry is more vulnerable to data breaches than other business sectors. Among those who expressed this opinion, 51 percent said that one of the top two reasons is because they have not been not vigilant enough in ensuring that their third-party service providers are securely managing their sensitive data.
But perhaps this is changing: When asked how recent medical breaches have influenced their own security practices, 61 percent of health care organizations said they are now paying more attention to what kinds of data safeguards their third-party partners have in place.
The Ponemon Institute separately surveyed third-party partners that contract with health care organizations and asked why they think health care organizations are more vulnerable to breaches compared to other sectors. From a business partner perspective, 54 percent squarely laid the blame on health care employees themselves for being negligent in how they handle patient information, while only 32 percent said it was because health care organizations weren't adequately vetting their third-party partners.
Ponemon noted that the employees in the health-care field are often so preoccupied with administering timely and quality care, that IT security is not even close to top of mind. “When talking about things like protecting information, you get a glaze-eyed look” from many health employees, said Ponemon. “It's not really a security-oriented culture,” he added.
According to the survey, the types of files that were most often compromised among health care providers were medical files (64 percent) and billing and insurance records (45 percent). “This information can be used to commit not just one identity crime but many, including medical identify theft,” said Ponemon. “The value of medical records is many times more valuable than other kinds of information about individuals.”
Ponemon noted that medical imaging data can even be used to create fake visas and passports. “It's becomes a national security problem,” he said.
Of the respondents who confirmed that their health care organizations have both a security incident response plan and the in-house expertise to execute it, 56 percent said that more funding and resources were needed for the plan to truly be effective. Indeed, 77 percent of the organizations participating in the study said that they allocated 20 percent of less of their total security budget to incident response.