Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/12/2016
12:01 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Healthcare Suffers Estimated $6.2 Billion In Data Breaches

Nearly 90 percent of healthcare organizations were slammed by a breach in the past two years.

The 911 call has come in loud and clear for the healthcare industry: nearly 90% of all healthcare organizations suffered at least one data breach in the past two years with an average cost of $2.2 million per hack.

Despite heightened awareness and concern among the healthcare industry over its ability to thwart cybercrime, insider mistakes, and ransomware attacks, healthcare budgets for security have either dropped or remained the same in the past year, according to the newly released Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute. Some 10% of budgets have declined, and more than half have remained static, and most believe they don’t have the budget to properly protect data.

The Ponemon report, commissioned by ID Experts, estimates that data breaches cost the healthcare industry some $6.2 billion, as some 79% of healthcare organizations say they were hit with two or more data breaches in the past two years, and 45%, more than five breaches. Most of those exposed fewer than 500 data records, and thus don't get reported to the US Department of Health and Human Services nor are revealed to the media. Ponemon surveyed 91 healthcare organizations, mainly healthcare providers, and 84 healthcare business partner organizations, including pharmaceutical companies, IT and service providers, and medical device makers, and broke down the findings accordingly.

Healthcare’s security woes have been well-documented over the past year. Even before the infamous recent wave of ransomware attacks on hospitals, there were plenty of red flags that healthcare was a ripe target for cybercrime, and even cyber espionage: there were massive breaches at Anthem and other insurers, as well as UCLA Health and earlier this year, 21st Century Oncology. A study last year by Raytheon and Websense found that healthcare organizations are twice as likely to suffer a data breach than those in other industries. And according to Trend Micro’s analysis of Privacy Rights Clearinghouse data, healthcare organizations suffered more breaches than any other industry sector between 1995 and 2005 -- with some 27% of all breaches.

Not surprisingly, healthcare organizations also have been failing in their application security programs and practices as well. According to the Building Security In Maturity Model (BSIMM) study published in October, BSIMM6, healthcare organizations scored much lower than their counterparts in the financial services, independent software vendor, and consumer electronics industries, when it comes to securing their applications.

The most commonly exposed data in healthcare breaches are medical records, followed by billing and insurance records, and payment information. Some 64% of attacks targeted medical files and billing and insurance records, up from 45%. Nearly 40% of healthcare organizations and 26% of their business partners say they know of medical identity theft incidents affecting their patients and customers, but 64% of healthcare organizations don’t offer credit protection services for victims, and 67% of business partners don’t have procedures in place to correct errors in medical records—a gap that could be life-threatening in the case of an identify thief using a patient’s medical information for fraudulent purposes, the Ponemon report notes.

 “There seems to be increasing awareness that medical identify theft is one of the results” of attacks, says Rick Kam, president and co-founder of ID Experts. “What’s bad is that healthcare organizations aren’t putting in the resources to help those [issues]. Medical identity theft includes a patient’s prescriptions, diagnosis, blood type” and other information that if compromised could risk a patient’s health or life, he says.

Cybercrime-based attacks remain the number one cause of data breaches, and they were up 5% to 50% this year, the report says. The rest were rooted in insider woes: 41% via a lost or stolen device and 36% via an “unintentional” employee act. Around 13% cite a malicious insider attack.

While respondents were surveyed last year prior to the big ransomware attacks on hospitals, ransomware was top of mind. Distributed denial-of-service (DDoS) attacks are the biggest worry of healthcare organizations (48%), followed by ransomware (44%), malware (41%), phishing (32%), advanced persistent threats (16%), rogue software (11%), and password attacks (8%).

Meanwhile, healthcare organizations are well aware they lack cybersecurity staff and talent to keep up with cyber threats. ID Experts’ Kam says there are some 20,000 vacant data security positions open in the healthcare sector, which exacerbates the problem of flat budgets and rising breaches.

The talent resource issue was echoed late last year by Jim Routh, chief information security officer at Aetna Global Security and chairman of the NH-ISAC, the healthcare industry's threat information-sharing exchange. Routh, whose firm was one of the 10 healthcare firms to participate in the BSIMM6 study on software security, noted that healthcare firms typically lack security staff and resources, despite a growing awareness of the importance of software security programs.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Financial SuperStar
50%
50%
Financial SuperStar,
User Rank: Apprentice
6/20/2019 | 11:12:41 AM
Financial Advisor
At the end of the day there will always be data breaches. However, it should be noted that health care companies seem to be having a disporpotioate amount of data breaches. 
builder7
50%
50%
builder7,
User Rank: Apprentice
5/12/2016 | 2:45:58 PM
Negligence
The different entities in the healthcare industry should be charged with negligence that has led to these data breaches, as they should in many other industries, because of their intrasingence towards security in their organizatons that are charged with upholding a certain criteria regarding safeguarding the data that people give them.  It would almost be like they want the data to be lost because it later appears as data that can be bought by private business so that they don't have to abide by the HIPPA rules.  Business may not be hiring the proper people and/or the correct amount of people to protect their data because they just wink at each other in business.  No matter what the reasoning, these businesses are the ones responsible for allowing unauthorized use of their servers or workstations because they have been negligent.  It only takes on look at their yearly profits to see that they could have well afforded to hire the small amount of technicians who could protect their networks and servers.  I am tired of seeing these stories because there is no such thing as protected data anymore.  This is just another example of how business is unable to take care of things themselves but always seem to need regulations to lead them by the hand to make them abide by certain norms to accomplish their mission, which is at odds with them making horrendous amounts of profit!  It is time for this to stop!
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/12/2016 | 8:52:46 AM
Re: Healthcare breaches
...Now if they could only get the necessary budget & talent to shore up their security. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/12/2016 | 8:50:05 AM
Healthcare breaches
2015 was big in particular for this activity.  At a healthcare IT conference I went to last month (one I go to almost every year), one of the speakers referred to 2015 as "the year of the healthcare breach" -- and it's something that has worried the industry (as well as government regulators) quite a bit.  Security was much more top-of-mind at this year's conference than it had been in the past.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25660
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
CVE-2020-25688
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
CVE-2020-25696
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
CVE-2020-26229
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
CVE-2020-28984
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.