Cybercriminals and nation-state actors are indeed targeting healthcare organizations for their valuable data: cyberattacks and physical criminal activity now have officially surpassed insider negligence as the main cause of a data breach in healthcare organizations.
The Ponemon Institute's new Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, published today, found that close to 45% of all data breaches in healthcare are due to criminal activity such as cybercriminal and nation-state hacks, malicious insiders, and physical theft, a 125% increase in such activity over the past five years. That's a first, since employee or insider negligence -- user errors, lost laptops and thumb drives, etc. -- accounted for the majority of breaches last year and in years past, according to Ponemon.
More than 90% of healthcare organizations surveyed by Ponemon in its report has suffered at least one data breach exposing patient data over the past two years, while 39% had been hit by two- to five breaches, and 40% had suffered more than five breaches during that timeframe. Security incidents (without an actual data breach) occurred at 78% of healthcare organizations.
About 45% of those breaches came via criminal attacks; 43% by lost or stolen computing devices; 40% via employee mistakes; and 12% via a malicious insider.
The cost of all of this healthcare breach-mania? Some $6 billion per year, with an average cost of $2.1 million per healthcare organization, according to the report, which was commissioned by ID Experts.
"For the first time, criminal attacks constitute the number one root cause [of data breaches], versus user negligence/incompetence or system glitches," says Larry Ponemon, chairman and founder of Ponemon Institute. "Ninety-one percent had one or more breach in the last two years, and some of these are tiny, less than 100 records, but they are still not trivial."
Healthcare organizations also are regularly battling security incidents, such as malware infections. Some 65% say they were hit with cyberattacks in the past two years, and half suffered incidents involving paper-based security incidents. They're not confident in their incident response capabilities, either, with more than half saying their IR isn't adequately funded or manned. And one-third don't have an IR plan at all.
Lost and stolen devices were a problem at 96% of healthcare organizations in the study, as was spear phishing (88%).
The report also surveyed business partners and associates of healthcare organizations. Nearly 60% of these businesses -- patient billing, claims processing, health plan, and cloud services, for example -- had been hit by data breaches, 14% of which had suffered two- to five breaches, and 15%, more than five during a two-year period. More than 80% of them were hit by Web-based malware attacks.
Rick Kam, president and co-founder of ID Experts, says the bad guys are going after healthcare records because they are so valuable. While a stolen credit card can go for a dollor or less in the underground, a patient's pilfered health credentials can bring in as much as $10, according to some experts.
"Data breaches like Anthem's are rare events," Ponemon says. "The types here [in this report] are mostly smaller-sized breaches."
The bad guys are after insurance information for insurance fraud, as well as employee data from the healthcare providers. "We've seen a huge increase in" abuse of employee data, ID Experts' Kam says. "In the last month and a half, we've seen a 100% increase in tax fraud."