The Ponemon Institute has recently released its Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. The study has included business associates for the past two years. The study included information received from 91 covered entities and 84 business associates, which is a good determinate of the risk of breaches caused by third parties.
The estimates of the costs associated with data breaches to the health care industry up to $6.2 billion. The survey results include that up to 90 percent of the healthcare organizations in the study suffered a data breach in the past two year, and almost half of them suffered more than 5 data breaches during that same period. Although most of the breaches involved data of less than 500 individuals, the message is clear: healthcare organizations continue to be a target.
The results of the study show that the average cost of a data breach for a healthcare organization is $2.2 million. The average cost of a data breach to a business associate is more than $1 million. According to the study, “Despite this, about half of all organizations have little or no confidence that they can detect all patient data loss or theft.” And although health care organizations have increased their budgets for data security, most of them still don’t have a sufficient budget to combat the problem.
The leading cause of data breaches in the healthcare sector is criminal attacks. This is evidenced by the recent incidents of malware and ransomware that have been in the news. According to the results of the study, 50 percent of health care organizations said the cause of the data breach was a criminal attack, and 13 percent said it was caused by a malicious insider.
41 percent of business associates confirmed that a criminal attacker caused the data breach and 9 percent said it was due to a malicious insider.
The primary forces behind the data breaches were ransomware, malware and denial-of service attacks. Secondary causes include employee negligence, mobile devices, cloud service providers and BYOD. These internal issues and employee actions were identified as the cause of a data breach by 36 percent of healthcare organizations and 55 percent of business associates.
The bottom line? Healthcare organizations are still at a high risk for cyber intrusions and employee neglect that can cause a data breach and may wish to consider continuing to invest in data security measures and employee training to combat the continuing issue of cyber intrusions and employee actions that lead to a data breach. Vendor management and employee training are key to risk management of these issues.