Criminal attacks against healthcare data increased 125 percent since 2010 and now are the leading cause of data breach, according to the “Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data,” by the Ponemon Institute, a data privacy and security organization, and sponsored by ID Experts.

Nearly 45 percent of data breaches in healthcare are a result of criminal activity, 78 percent of healthcare organizations and 82 percent of business associates, including patient billing, health plans, claims processing and cloud services, had web-borne malware attacks. And yet, only 40 percent of healthcare organizations said they are concerned about cyber attacks.

The healthcare sector represents an information-rich source of personal, credit and health information, which can be sold quickly and profitably, the report said, and most healthcare organizations remain ill prepared to address cyber threats and lack the resources and processes to protect patient data. The criminal attacks covered by the report also include malicious insiders and paper medical files; the study found medical files, as well as billing and insurance records, are the top stolen targets.

"We are seeing a shift in the causes of data breaches in the healthcare industry, with a significant increase in criminal attacks. While employee negligence and lost/stolen devices continue to be primary causes of data breaches, criminal attacks are now the number-one cause," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. "Since first conducting this study, healthcare providers are starting to make investments to protect patient information, which need to keep pace with the growing cyber threats."

Small- to middle-market organizations are at greater risk for data breach, the report said, as they have limited security and privacy processes, personnel, technology and budgets compared to their larger counterparts. Healthcare “business associates,” including patient billing, health plans, claims processing and cloud services are included in the report, as are hospitals, clinics, private or public healthcare providers.

Two health insurers, Anthem and Premera Blue Cross, have been breached this year, and industry observers say that the sector can expect more attacks because of the perceived value of their data.

Security incidents are much more numerous than data breaches, the report said, and federal law dictates that all security incidents be assessed to determine whether they are data breaches that require reporting. Organizations are not thoroughly assessing their security incidents, the report said, and one-third of the respondents do not have an incident response process in place.

"A breach is a breach, no matter how small. Whether 5,000,000, 5,000, or 50 individuals are affected, the impact to each and every person is a big deal," said Rick Kam, CIPP/U.S. president and co-founder of ID Experts. "How many more individuals could be at risk due to unreported data breaches?"

  • 91 percent of healthcare organizations had one data breach
  • 39 percent experienced two to five data breaches
  • 40 percent had more than five data breaches over the past two years. In comparison,
  • 59 percent of business associates experienced data breaches
  • 14 percent of business associates experienced two to five data breaches
  • 15 percent of business associates experienced more than five data breaches over the same period.
  • Half of all healthcare organizations, both CEs and BAs, have little or no confidence that they have the ability to detect all patient data loss or theft.
  • Data breaches are costing the healthcare industry $6 billion annually; the average economic impact of data breaches per organization is $2,134,800.
  • 65 percent of healthcare organizations and 87 percent of BAs experienced electronic information-based security incidents over the past two years, and approximately half of all respondents suffered paper-based security incidents.

Half of healthcare organizations and business associates said their incident-response processes are adequately funded and resourced, and one-third of respondents said they don't have an incident-response process in place.

Register or login for access to this item and much more

All Digital Insurance content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access