The new Ponemon report estimates that data breaches cost the healthcare industry some $6.2 billion, as some 79% of healthcare organizations say they were hit with two or more data breaches in the past two years, and 45%, more than five breaches
Data breaches cost the healthcare industry some $6.2 billion and nearly 90% of all healthcare organizations suffered at least one data breach in the past two years with an average data breaches cost of $2.2 million per hack. Why is healthcare such a soft cyber target?
Despite heightened awareness and concern among the healthcare industry over its ability to stop cybercrime, insider mistakes, and ransomware attacks, healthcare budgets for security have either dropped or remained the same in the past year, according to the newly released Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute. Some 10% of budgets have declined, and more than half have remained static, and most believe they don’t have the budget to properly protect data.
Interestingly enough, while healthcare providers admit criminals are increasingly targeting healthcare companies, the vast majority are convinced their organization has not experienced a breach. Therefore, they are not changing their behavior in a significant way because they do not see themselves as actual cyber-attack targets. Perhaps it explains why security budgets in healthcare have not increased since 2014. It remained at an average of 5% of the total IT budget, compared to 8% for government and 11% for financial services. Is it finally time to invest more into security measures?
Healthcare’s security issues have been well-documented over the past year. Even before the recent wave of ransomware attacks on hospitals, there were plenty of red flags that healthcare was a ripe target for cybercrime, and even cyber espionage: there were massive breaches at Anthem and other insurers, as well as UCLA Health and earlier this year, 21st Century Oncology.
A study last year by Raytheon and Websense found that healthcare organizations are twice as likely to suffer a data breach than those in other industries. And according to Trend Micro’s analysis of Privacy Rights Clearinghouse data, healthcare organizations suffered more breaches than any other industry sector between 1995 and 2005 — with some 27% of all breaches.
The most commonly exposed data in healthcare breaches are medical records, followed by billing and insurance records, and payment information. Some 64% of attacks targeted medical files and billing and insurance records, up from 45%. Nearly 40% of healthcare organizations and 26% of their business partners say they know of medical identity theft incidents affecting their patients and customers, but 64% of healthcare organizations don’t offer credit protection services for victims, and 67% of business partners don’t have procedures in place to correct errors in medical records—a gap that could be life-threatening in the case of an identify thief using a patient’s medical information for fraudulent purposes, the Ponemon report notes.
Meanwhile, healthcare organizations are well aware they lack cyber security staff and talent to keep up with cyber threats. The talent resource issue was echoed late last year by Jim Routh, chief information security officer at Aetna Global Security and chairman of the NH-ISAC, the healthcare industry’s threat information-sharing exchange. Routh, whose firm was one of the 10 healthcare firms to participate in the BSIMM6 study on software security, noted that healthcare firms typically lack security staff and resources, despite a growing awareness of the importance of software security programs. One possible direction to deal with data breaches cost is that healthcare companies should start paying for cyber security insurance to pay for malpractice!