Update: New Study Credits Criminal Attacks as Source of Most Health Care Data Breaches

As we reported in our April issue, cybersecurity is gaining national attention thanks to notorious data hacks like Sony and Anthem, and now Premera. The President has drawn attention to the issue calling for legislation and sharing of information about security risks and incidents. Our April issue of GCA provided tips for taking action now to avoid cybersecurity incidents and highlighted a 2014 study by Ponemon Institute that estimated the cost of a data breach to be around $200 per record in the United States, with the health care industry having one of the highest costs per record of all industries. The Ponemon Institute issued a new study in May 2015 indicating health care-related criminal attacks on data have increased 125 per cent since 2010 and are “the leading cause of data breach” in health care. Yet, the study also indicates most organizations are still not prepared to respond to this threat to security of patient health information. “We are seeing a shift in the causes of data breaches in the healthcare industry, with a significant increase in criminal attacks. While employee negligence and lost/stolen devices continue to be primary causes of data breaches, criminal attacks are now the number one cause,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute in a press release announcing the study. The study involved 90 covered entities and 88 business associates and its findings revealed that over 90 per cent of health care organizations surveyed had at least one data breach over the past two years, and 40 percent had over five breaches in the prior two years. The authors estimated that such breaches create a $6 billion annual cost for the health care industry, with health care organizations incurring average costs per breach of $2.1 million, $1 million for business associates. Forty-five percent of study participants reported that criminal activity was behind their data breach and 12 per cent found “malicious insider” activity behind an attack. While the study reports that the “root cause” of data breaches “is shifting from lost or stolen computing devices to criminal attacks,” “employee negligence remains a top concern when it comes to exposing patient data.” Seventy per cent of participants indicated that employee negligence was their top concern, and the authors attribute this concern to the fact that many incidents involve not just lost or stolen devices but also malware attacks and phishing, which relate to employee failure to follow security procedures. Despite these numbers, the study found that only 40 per cent of health care providers were worried about the risk of cyber attack and only 33 per cent believed they had “sufficient resources to prevent or quickly detect a data breach.” Another study, from EiQ Networks that surveyed IT decision makers across industries, including health care, about information security, backs up these findings. That survey noted that 62 per cent of the professionals surveyed felt their organization had no process or only a “partial process” for detecting and responding to security incidents and only 15 per cent felt their staff were sufficiently prepared to identify and respond to a cyber attack. This latest Ponemon study involved interviews of “senior-level personnel at healthcare providers” and expanded its scope to encompass business associates as well. HIPAA requires both covered entities such as laboratories and their business associates to protect patient’s health care information. “According to the FBI, criminals are targeting the information-rich healthcare sector because individuals’ personal information, credit information and protected health information (PHI) are accessible in one place, which translates into a high return when monetized and sold,” Ponemon’s press release indicates. Ponemon’s Fifth Annual Study on Privacy & Security of Healthcare Data can be obtained here.

Takeaway: This latest study emphasizes that the health care industry faces a significant threat to security of patient information and laboratories and other health care organizations need to ramp up efforts to protect patient information.