The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data presented by the Ponemon Institute reveals that although the majority of healthcare organizations are fully aware of the significant risk of cyber security issues and indeed have faced a data breach at one time or another, most are not prepared to protect patient data and address the evolving cyber landscape. The 2015 study included responses from healthcare organizations as well as business associates, which is defined as a “person or entity that performs services for an organization involving the use or disclosure of protected health information (PHI).”
The Ponemon study estimates that data breaches could be costing the healthcare industry $6 billion, with more than 90% of healthcare organizations reporting a data breach, and 40% experiencing five data breaches over the past two years. Moreover, according to the report, the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million – with no healthcare organization, regardless of size, immune from data breaches. The average cost of a data breach to business associates represented in the report is more than $1 million. Even with all these incidents, 50% of all healthcare organizations have little or no confidence in their ability to detect all patient data loss or theft, according to the report.
To address these incidents, healthcare organizations need to respond quickly to data breaches and in order to do so they must invest in technology, the report finds. Based on the study’s respondents,
58% of healthcare organizations stated that policies and procedures are in place to effectively prevent or quickly detect unauthorized patient data access, loss or theft. But, less than half (49%) agreed they have sufficient technologies. Furthermore, only 33% agreed they have sufficient resources to prevent or quickly detect a data breach, and slightly more than half (53%) of organizations have personnel with the necessary technical expertise to be able to identify and resolve data breaches involving the unauthorized access, loss or theft of patient data.
Business associates are also in the same boat, with less than half (43%) saying they have sufficient technologies in place to detect a breach.
Among the concerns involving data breaches, employee negligence or carelessness tops the list, with 70% of respondents citing this issue, followed by 40% of respondents who say it is cyber attackers and 33% who say it is the use of public cloud services. Insecure mobile apps and insecure medical devices are the least problematic (13% and 6% of respondents, respectively). When looking at the number of incidents that occurred, it becomes obvious why employee negligence is such a great concern: Ninety-six percent of respondents said they had an incident occur because of stolen or lost device, followed by spear phishing (88%), web-borne malware attacks (78%), exploit of existing vulnerability greater than 3 months old (54%), and exploit of existing vulnerability less than 3 months old (45%), among others. Business associates are also worried about employee negligence.
The study also revealed that most healthcare organizations have an incident reporting process in place, however they don’t have efficient funding and resources to make it effective and realize this has to change.
In addition to additional resources and stronger cyber security measures to detect breaches much faster, Cyber Liability insurance coverage is a must for healthcare organizations and their business associates. Caitlin Morgan specializes in securing insurance programs for medical facilities and can provide you with assistance in tailoring a Cyber policy for your clients. Just give us a call at 877.226.1027.