Security Experts:

Connect with us

Hi, what are you looking for?



Healthcare Organizations Face Spike in Data Breaches From Criminal Attacks

Patient data can be a valuable commodity in the cyber-underworld; so much so that apparently the number of attacks targeting healthcare organizations has gone through the roof.

Patient data can be a valuable commodity in the cyber-underworld; so much so that apparently the number of attacks targeting healthcare organizations has gone through the roof.

According to a new study from Ponemon Institute, criminal attacks in the healthcare industry have shot up 125 percent since 2010 and are now the leading cause of data breaches. The study, which was sponsored by ID Experts, is based on responses from 90 healthcare organizations and 88 business associates, which are classified as people or organizations that perform services for healthcare organizations involving protected health information (PHI).

What it found was that regardless of size, healthcare organizations are increasingly at risk of data breaches. Almost all of them (91 percent) had one data breach during the last two years, and 39 percent experienced two to five. Forty percent admitted having more than five. The news was somewhat better for the business associates of those organizations either. Fifty-nine percent of the business associates experienced data breaches, with 14 percent falling victim to between two and five.

These breaches cost the healthcare industry $6 billion annually, according to the report.

“The main tactical issues are those facing every organization that has a plethora of sensitive and confidential information about individuals,” said Larry Ponemon, founder of the Ponemon Institute. “They face the dual challenge of reducing both the insider risk and the malicious outsider. Both require different approaches that can tax even the most robust IT security budget. With respect to the negligent insider, it is putting together a more aggressive training and education awareness program, as well as investing in technologies that can safeguard patient data on mobile devices and prevent the exfiltration of sensitive information. Now that we are seeing more criminal attacks on healthcare organizations, it is critical that they assess what sensitive data needs to be monitored and protected and the location of this data.”

Daniel Nutkis is CEO for The Health Information Trust Alliance (HITRUST), an industry group focused on security. According to Nutkis, the Ponemon study’s findings jibe with what HITRUST sees in the industry.

“We have publicly communicated a steady increase in cyber attacks targeting healthcare organizations over the last two years,” he said. “We recommend organizations perform a risk assessment with attention to the controls associated with cyber risks, put in place a corrective action plan for those controls deficient, participate in cyber preparedness exercises, and engage in an industry information sharing and analysis organizations such as the HITRUST Cyber Treat Xchange (CTX).”

Despite the situation, more than half of the healthcare organizations and half of the business associates don’t believe their incident response process has adequate funding and resources. A third of the respondents don’t even have an incident response in place, the study found.

“It is a surprise that organizations appear to be using ad hoc processes to manage documents and data since there are so many good solutions that exist,” said Rick Kam, president and founder of ID Experts. “I think the broader challenge is that board and executive management need to recognize that health data and records are being targeted by professional hackers and is now the leading cause of data breaches in healthcare. This is due to the significantly higher black market value of a health record being $60-$70 according to the FBI, compared to a social security number or financial account number at $0.50 to $1.00.”

Organizations need to do more training and awareness around PHI, he said.

“This includes understanding how to avoid phishing emails and what to do to ensure data is not disclosed,” he said. “They also need to collaborate with other organizations who manage PHI – business associates – to also ensure they have similar programs in place.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.