“In the last six years of conducting the [Ponemon] study, it’s clear that efforts to safeguard patient data are not improving,” says Dr. Larry Ponemon, chairman and founder, Ponemon Institute.
The Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data published by the Ponemon Institute in 2016, confirmed what many who work with electronic protected health information (ePHI) already knew: Electronic information-based security incidents continue to plague the healthcare industry. Cyberattacks against healthcare organizations have continued to grow in cost. Attacks against third-party vendors that store, transmit, or process ePHI have also grown in cost.
What better time than the present to reflect on the current state of your organizations’ cybersecurity, and use this research as fuel to improve upon your data protection efforts. Let us review the most important takeaways of the study:
The State of Healthcare’s Data Privacy and Security
“For the sixth year in a row, data breaches in healthcare are consistently high in terms of volume, frequency, impact, and cost,” states Ponemon. “Nearly 90% of healthcare organizations represented in this study had a data breach in the past two years, and nearly half, or 45 percent, had more than five data breaches in the same time period.”
“Even with increased enforcement of HIPAA Rules by the HHS’ Office for Civil Rights, there is little accountability for breaches of patient health information,” remarks Rick Kam, CIPP/US president and co-founder of ID Experts, the study’s sponsor.
The more you acknowledge, research, and address the issues, the faster you can move forward and better protect your ePHI. Before you begin to build a new strategy to protect your sensitive data or amend your existing plan, you must understand the obstacles you face.
Top Threats to the Privacy and Security of Your Healthcare Data
Just like 2015’s research, the study extended beyond healthcare organizations to include third-party vendors, identified as Business Associates (BAs). According to the U.S. Department of Health and Human Services, a BA is a person or company that provides services for a Covered Entity (CE) that transmits, stores, or processes ePHI. The decision to broaden the scope of the research to BAs was made to provide a more accurate picture of the state of cyberattacks on health information and to illustrate the fact that the security and privacy of health data are impacted by Bas, as well as, healthcare organizations (CEs.)
The survey showed that 89 percent of CE participants reported at least one data breach involving the loss or theft of patient data in the past 24 months, compared to 91 percent in 2015. However, 61 percent of BAs reported more than one data breach in the past 24 months, compared to 59 percent in 2015.
The study cited criminal attacks as the top cause of data breaches, with 50 percent of CEs reporting a criminal attack as the cause of their breach, up from 45 percent in 2015. Forty-one percent of CEs described security incidents due to third-party situational normal, all fouled up (SNAFU), compared to 43 percent in the previous year. Thirty-nine percent of respondents reported breaches as a result of a stolen computing device in 2016, while 13 percent of CEs responding described an incident due to a malicious insider.
Source: The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data
BAs reported a multitude of root causes for electronic information-based security incidents. In the 2016 study data, 55 percent of BAs reported data breaches due to unintentional employee action, compared to 51 percent in 2015. Fifty-two percent of breaches were attributed to third-party SNAFU compared to 49 percent in 2015.
In 2016’s study 41 percent of BAs reported criminal attack as the cause of data breaches, up from 39 percent in 2015.
The True Costs of a Data Breach May Be Higher Than You Think
“Data breaches in healthcare are costing the industry $6.2 billion and remain consistently high…and have yet to decline since 2010—despite a slight increase in awareness and spending on security technology,” according to ID Experts.
The average consolidated total cost of a data breach grew from $3.8 million to $4 million, according to the 2016 Ponemon Cost of Data Breach Study, which also reported that the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158. “The overall costs include fines levied by the federal government as well as instituting business continuity and incident response plans, employee training, and hiring a CISO,” says Bernie Monegain, for Healthcare IT News.
Healthcare Organizations Are Not Spending Enough on Mitigation
The media attention given to healthcare data breaches shed light on the importance of ePHI protection and the impact of data breaches on an organization. Sixty-seven percent of CEs and 62 percent of BAs reported that the highly publicized breaches have impacted security protocol, causing both types of organizations to practice heightened surveillance in protecting patient data.
Data breaches in the healthcare industry have continued to grow. Alarmingly, the number of affected patient records almost tripled from 5.5 million in 2017 to 15 million in 2018, reported the 2019 Annual Breach Barometer Report from Protenus, the world’s leading proactive patient privacy analytics platform.
However, despite the increased awareness and heightened vigilance, the study respondents reported little growth in the percentage of budgets allocated to technology, privacy and security budgets and staff with technical expertise. According to the study, CEs reported budgets decreased (10 percent) or stayed the same (52 percent). Similarly, most business associates continue to deal with budgets that decreased (11 percent) or stay the same (50 percent).
Source: The Sixth Annual Annual Benchmark Study on Privacy & Security of Healthcare Data
The annual economic impact of a data breach rose over the past six years, as has the frequency of data breaches. Criminal attacks and internal threats were the the leading cause of data breaches in 2016. Evolving cyber-attack threats such as ransomware and malware are of primary concern. Today, the leading cause of a data breach in healthcare is due to hacking and IT incidents, according to HIPAA Journal.
Source: “The Sixth Annual Annual Benchmark Study on Privacy & Security of Healthcare Data.”
“The irony is that information technology and data in healthcare are clearly critical to the mission of providing care, yet data security is an afterthought,” remarks Mac McMillan, chair of the HIMSS Privacy & Security Policy Task Force, writing for HIT Consultant. It is unreasonable to expect your organization to be protected if you have not invested in the proper technologies, policies and procedures.
Among other key findings detailed in the Ponemon report were the statistics relating to the types of cyber-attacks respondents were most concerned about, with Denial of Service (DDoS) listed as the top concern among both CEs and BAs. There was also a notable discussion regarding the types of incidents covered under data breach insurance policies, and the investigative costs and the satisfaction levels CEs and BAs reported with their cyber insurance.
Will You Take a Reactive or Proactive Approach?
As the report concludes, “Once again, criminal attacks are the leading cause of data breaches in healthcare. Internal problems such as mistakes—unintentional employee actions, third-party SNAFUs, and stolen computing devices—account for the other half of data breaches. In 2016, ransomware, malware, and denial-of-service (DOS) attacks are the top cyber threats facing healthcare organizations.”
While the leading causes of data breaches in 2017 and 2018 was due to hacking and IT incidents, the 2016 report’s results were clear: Healthcare organizations were and continue to be in dire need of better protection through technology and security expertise, and a broad application of innovative solutions.
Government programs and policies, from the FDA and the HHS for example, have started to improve the landscape, but have a long way to go. Healthcare data privacy and security continues to be in your hands. Will you join the 30 percent of healthcare organizations that committed to investing more time, money, and resources into proper IT security planning in order to protect your organization’s data?
LightEdge Knows HIPAA Compliance and Security
LightEdge has HIPAA secure data center locations at our Des Moines, Kansas City, Omaha, Austin, and Raleigh data center facilities. With LightEdge, you can achieve auditable HIPAA compliance. With a specific background working with healthcare organizations, our data center and hosting solutions provide you with confidence you need to meet HIPAA requirements.
LightEdge offers a free risk assessment from our security team as a free resource to all of our customers. Compliance and security are top priorities to guarantee that your data is protected. While there is no certification for HIPAA, LightEdge has successfully undergone a third-party examination against the HIPAA Security Rule and has been issued a Type 1 AT 101 letter of attestation confirming our alignment with HIPAA safeguards. LightEdge is compliant with:
If you are interested in getting a risk free assessment from our healthcare compliance experts, a tour of any of our HIPAA compliant data centers or to learn more about LightEdge’s compliance offers, contact us here. Because LightEdge specializes in high security hosting and HIPAA compliance, our team can help you develop a secure IT infrastructure—ask us how.
If you want to learn more about HIPAA compliance download our two e-books, Patient Privacy and Data Security: Utilizing IT Vendors to Meet HIPAA Compliance and Avoid, and How to Deploy a Secure Compliant Cloud for Healthcare.