By Kelly A. Briganti, Editorial Director, G2 Intelligence
Last week, we referenced a 2014 study by Ponemon Institute that estimated the cost of a data breach to be around $200 per record in the United States, with the healthcare industry having one of the highest costs per record of all industries. After we went to press, the Ponemon Institute issued a new study this month indicating healthcare-related criminal attacks on data have increased 125 per cent since 2010 and are “the leading cause of data breach” in healthcare, while most organizations are still not prepared to respond to this latest threat to security of patient health information. “We are seeing a shift in the causes of data breaches in the healthcare industry, with a significant increase in criminal attacks. While employee negligence and lost/stolen devices continue to be primary causes of data breaches, criminal attacks are now the number one cause,” said Dr. Larry Ponemon chairman and founder of the Ponemon Institute in a press release announcing the study.
The study’s findings revealed that over 90 per cent of healthcare organizations surveyed had at least one data breach over the past two years, and estimated that such breaches create a $6 billion annual cost for the healthcare industry and an average cost per organization per breach of $2.1 million. Despite these numbers, the study found that only 40 per cent of healthcare providers were worried about the risk of cyber attack and only 33 per cent believed they had “sufficient resources to prevent or quickly detect a data breach.” Another study, from EiQ Networks that surveyed IT decision makers across industries, including healthcare, about information security, backs up these findings. That survey noted that 62 per cent of the professionals surveyed felt their organization had no process or only a “partial process” for detecting and responding to security incidents and only 15 per cent felt their staff were sufficiently prepared to identify and respond to a cyber attack.
The Ponemon study involved interviews of “senior-level personnel at healthcare providers and business associates” and this latest study was expanded to include business associates. HIPAA requires both covered entities such as laboratories and their business associates to protect patient’s healthcare information. “According to the FBI, criminals are targeting the information-rich healthcare sector because individuals’ personal information, credit information and protected health information (PHI) are accessible in one place, which translates into a high return when monetized and sold,” according to Ponemon’s press release. Ponemon’s Fifth Annual Study on Privacy & Security of Healthcare Data can be obtained here.