Patient data can be a valuable commodity in the cyber-underworld; so much so that apparently the number of attacks targeting healthcare organizations has gone through the roof.
According to a new study from Ponemon Institute, criminal attacks in the healthcare industry have shot up 125 percent since 2010 and are now the leading cause of data breaches. The study, which was sponsored by ID Experts, is based on responses from 90 healthcare organizations and 88 business associates, which are classified as people or organizations that perform services for healthcare organizations involving protected health information (PHI).
What it found was that regardless of size, healthcare organizations are increasingly at risk of data breaches. Almost all of them (91 percent) had one data breach during the last two years, and 39 percent experienced two to five. Forty percent admitted having more than five. The news was somewhat better for the business associates of those organizations either. Fifty-nine percent of the business associates experienced data breaches, with 14 percent falling victim to between two and five.
These breaches cost the healthcare industry $6 billion annually, according to the report.
“The main tactical issues are those facing every organization that has a plethora of sensitive and confidential information about individuals,” said Larry Ponemon, founder of the Ponemon Institute. “They face the dual challenge of reducing both the insider risk and the malicious outsider. Both require different approaches that can tax even the most robust IT security budget. With respect to the negligent insider, it is putting together a more aggressive training and education awareness program, as well as investing in technologies that can safeguard patient data on mobile devices and prevent the exfiltration of sensitive information. Now that we are seeing more criminal attacks on healthcare organizations, it is critical that they assess what sensitive data needs to be monitored and protected and the location of this data.”
Daniel Nutkis is CEO for The Health Information Trust Alliance (HITRUST), an industry group focused on security. According to Nutkis, the Ponemon study’s findings jibe with what HITRUST sees in the industry.
“We have publicly communicated a steady increase in cyber attacks targeting healthcare organizations over the last two years,” he said. “We recommend organizations perform a risk assessment with attention to the controls associated with cyber risks, put in place a corrective action plan for those controls deficient, participate in cyber preparedness exercises, and engage in an industry information sharing and analysis organizations such as the HITRUST Cyber Treat Xchange (CTX).”
Despite the situation, more than half of the healthcare organizations and half of the business associates don’t believe their incident response process has adequate funding and resources. A third of the respondents don’t even have an incident response in place, the study found.
“It is a surprise that organizations appear to be using ad hoc processes to manage documents and data since there are so many good solutions that exist,” said Rick Kam, president and founder of ID Experts. “I think the broader challenge is that board and executive management need to recognize that health data and records are being targeted by professional hackers and is now the leading cause of data breaches in healthcare. This is due to the significantly higher black market value of a health record being $60-$70 according to the FBI, compared to a social security number or financial account number at $0.50 to $1.00.”
Organizations need to do more training and awareness around PHI, he said.
“This includes understanding how to avoid phishing emails and what to do to ensure data is not disclosed,” he said. “They also need to collaborate with other organizations who manage PHI – business associates – to also ensure they have similar programs in place.”