The 911 call has come in loud and clear for the healthcare industry: nearly 90% of all healthcare organizations suffered at least one data breach in the past two years with an average cost of $2.2 million per hack.
Despite heightened awareness and concern among the healthcare industry over its ability to thwart cybercrime, insider mistakes, and ransomware attacks, healthcare budgets for security have either dropped or remained the same in the past year, according to the newly released Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute. Some 10% of budgets have declined, and more than half have remained static, and most believe they don’t have the budget to properly protect data.
The Ponemon report, commissioned by ID Experts, estimates that data breaches cost the healthcare industry some $6.2 billion, as some 79% of healthcare organizations say they were hit with two or more data breaches in the past two years, and 45%, more than five breaches. Most of those exposed fewer than 500 data records, and thus don't get reported to the US Department of Health and Human Services nor are revealed to the media. Ponemon surveyed 91 healthcare organizations, mainly healthcare providers, and 84 healthcare business partner organizations, including pharmaceutical companies, IT and service providers, and medical device makers, and broke down the findings accordingly.
Healthcare’s security woes have been well-documented over the past year. Even before the infamous recent wave of ransomware attacks on hospitals, there were plenty of red flags that healthcare was a ripe target for cybercrime, and even cyber espionage: there were massive breaches at Anthem and other insurers, as well as UCLA Health and earlier this year, 21st Century Oncology. A study last year by Raytheon and Websense found that healthcare organizations are twice as likely to suffer a data breach than those in other industries. And according to Trend Micro’s analysis of Privacy Rights Clearinghouse data, healthcare organizations suffered more breaches than any other industry sector between 1995 and 2005 -- with some 27% of all breaches.
Not surprisingly, healthcare organizations also have been failing in their application security programs and practices as well. According to the Building Security In Maturity Model (BSIMM) study published in October, BSIMM6, healthcare organizations scored much lower than their counterparts in the financial services, independent software vendor, and consumer electronics industries, when it comes to securing their applications.
The most commonly exposed data in healthcare breaches are medical records, followed by billing and insurance records, and payment information. Some 64% of attacks targeted medical files and billing and insurance records, up from 45%. Nearly 40% of healthcare organizations and 26% of their business partners say they know of medical identity theft incidents affecting their patients and customers, but 64% of healthcare organizations don’t offer credit protection services for victims, and 67% of business partners don’t have procedures in place to correct errors in medical records—a gap that could be life-threatening in the case of an identify thief using a patient’s medical information for fraudulent purposes, the Ponemon report notes.
“There seems to be increasing awareness that medical identify theft is one of the results” of attacks, says Rick Kam, president and co-founder of ID Experts. “What’s bad is that healthcare organizations aren’t putting in the resources to help those [issues]. Medical identity theft includes a patient’s prescriptions, diagnosis, blood type” and other information that if compromised could risk a patient’s health or life, he says.
Cybercrime-based attacks remain the number one cause of data breaches, and they were up 5% to 50% this year, the report says. The rest were rooted in insider woes: 41% via a lost or stolen device and 36% via an “unintentional” employee act. Around 13% cite a malicious insider attack.
While respondents were surveyed last year prior to the big ransomware attacks on hospitals, ransomware was top of mind. Distributed denial-of-service (DDoS) attacks are the biggest worry of healthcare organizations (48%), followed by ransomware (44%), malware (41%), phishing (32%), advanced persistent threats (16%), rogue software (11%), and password attacks (8%).
Meanwhile, healthcare organizations are well aware they lack cybersecurity staff and talent to keep up with cyber threats. ID Experts’ Kam says there are some 20,000 vacant data security positions open in the healthcare sector, which exacerbates the problem of flat budgets and rising breaches.
The talent resource issue was echoed late last year by Jim Routh, chief information security officer at Aetna Global Security and chairman of the NH-ISAC, the healthcare industry's threat information-sharing exchange. Routh, whose firm was one of the 10 healthcare firms to participate in the BSIMM6 study on software security, noted that healthcare firms typically lack security staff and resources, despite a growing awareness of the importance of software security programs.