Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/12/2016
12:01 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Healthcare Suffers Estimated $6.2 Billion In Data Breaches

Nearly 90 percent of healthcare organizations were slammed by a breach in the past two years.

The 911 call has come in loud and clear for the healthcare industry: nearly 90% of all healthcare organizations suffered at least one data breach in the past two years with an average cost of $2.2 million per hack.

Despite heightened awareness and concern among the healthcare industry over its ability to thwart cybercrime, insider mistakes, and ransomware attacks, healthcare budgets for security have either dropped or remained the same in the past year, according to the newly released Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute. Some 10% of budgets have declined, and more than half have remained static, and most believe they don’t have the budget to properly protect data.

The Ponemon report, commissioned by ID Experts, estimates that data breaches cost the healthcare industry some $6.2 billion, as some 79% of healthcare organizations say they were hit with two or more data breaches in the past two years, and 45%, more than five breaches. Most of those exposed fewer than 500 data records, and thus don't get reported to the US Department of Health and Human Services nor are revealed to the media. Ponemon surveyed 91 healthcare organizations, mainly healthcare providers, and 84 healthcare business partner organizations, including pharmaceutical companies, IT and service providers, and medical device makers, and broke down the findings accordingly.

Healthcare’s security woes have been well-documented over the past year. Even before the infamous recent wave of ransomware attacks on hospitals, there were plenty of red flags that healthcare was a ripe target for cybercrime, and even cyber espionage: there were massive breaches at Anthem and other insurers, as well as UCLA Health and earlier this year, 21st Century Oncology. A study last year by Raytheon and Websense found that healthcare organizations are twice as likely to suffer a data breach than those in other industries. And according to Trend Micro’s analysis of Privacy Rights Clearinghouse data, healthcare organizations suffered more breaches than any other industry sector between 1995 and 2005 -- with some 27% of all breaches.

Not surprisingly, healthcare organizations also have been failing in their application security programs and practices as well. According to the Building Security In Maturity Model (BSIMM) study published in October, BSIMM6, healthcare organizations scored much lower than their counterparts in the financial services, independent software vendor, and consumer electronics industries, when it comes to securing their applications.

The most commonly exposed data in healthcare breaches are medical records, followed by billing and insurance records, and payment information. Some 64% of attacks targeted medical files and billing and insurance records, up from 45%. Nearly 40% of healthcare organizations and 26% of their business partners say they know of medical identity theft incidents affecting their patients and customers, but 64% of healthcare organizations don’t offer credit protection services for victims, and 67% of business partners don’t have procedures in place to correct errors in medical records—a gap that could be life-threatening in the case of an identify thief using a patient’s medical information for fraudulent purposes, the Ponemon report notes.

 “There seems to be increasing awareness that medical identify theft is one of the results” of attacks, says Rick Kam, president and co-founder of ID Experts. “What’s bad is that healthcare organizations aren’t putting in the resources to help those [issues]. Medical identity theft includes a patient’s prescriptions, diagnosis, blood type” and other information that if compromised could risk a patient’s health or life, he says.

Cybercrime-based attacks remain the number one cause of data breaches, and they were up 5% to 50% this year, the report says. The rest were rooted in insider woes: 41% via a lost or stolen device and 36% via an “unintentional” employee act. Around 13% cite a malicious insider attack.

While respondents were surveyed last year prior to the big ransomware attacks on hospitals, ransomware was top of mind. Distributed denial-of-service (DDoS) attacks are the biggest worry of healthcare organizations (48%), followed by ransomware (44%), malware (41%), phishing (32%), advanced persistent threats (16%), rogue software (11%), and password attacks (8%).

Meanwhile, healthcare organizations are well aware they lack cybersecurity staff and talent to keep up with cyber threats. ID Experts’ Kam says there are some 20,000 vacant data security positions open in the healthcare sector, which exacerbates the problem of flat budgets and rising breaches.

The talent resource issue was echoed late last year by Jim Routh, chief information security officer at Aetna Global Security and chairman of the NH-ISAC, the healthcare industry's threat information-sharing exchange. Routh, whose firm was one of the 10 healthcare firms to participate in the BSIMM6 study on software security, noted that healthcare firms typically lack security staff and resources, despite a growing awareness of the importance of software security programs.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
builder7
50%
50%
builder7,
User Rank: Apprentice
5/12/2016 | 2:45:58 PM
Negligence
The different entities in the healthcare industry should be charged with negligence that has led to these data breaches, as they should in many other industries, because of their intrasingence towards security in their organizatons that are charged with upholding a certain criteria regarding safeguarding the data that people give them.  It would almost be like they want the data to be lost because it later appears as data that can be bought by private business so that they don't have to abide by the HIPPA rules.  Business may not be hiring the proper people and/or the correct amount of people to protect their data because they just wink at each other in business.  No matter what the reasoning, these businesses are the ones responsible for allowing unauthorized use of their servers or workstations because they have been negligent.  It only takes on look at their yearly profits to see that they could have well afforded to hire the small amount of technicians who could protect their networks and servers.  I am tired of seeing these stories because there is no such thing as protected data anymore.  This is just another example of how business is unable to take care of things themselves but always seem to need regulations to lead them by the hand to make them abide by certain norms to accomplish their mission, which is at odds with them making horrendous amounts of profit!  It is time for this to stop!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/12/2016 | 8:52:46 AM
Re: Healthcare breaches
...Now if they could only get the necessary budget & talent to shore up their security. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/12/2016 | 8:50:05 AM
Healthcare breaches
2015 was big in particular for this activity.  At a healthcare IT conference I went to last month (one I go to almost every year), one of the speakers referred to 2015 as "the year of the healthcare breach" -- and it's something that has worried the industry (as well as government regulators) quite a bit.  Security was much more top-of-mind at this year's conference than it had been in the past.
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Artist Uses Malware in Installation
Dark Reading Staff 5/17/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...