Criminal attacks leading cause of data breaches in healthcare

Patient data is under siege and hospitals are big targets for cyber attacks, according to the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted by Ponemon Institute and sponsored by ID Experts.

For the second year in a row, the study reveals that criminal attacks are the leading cause of data breaches in healthcare - up five percent to 50 percent this year.
Mistakes, unintentional employee actions, third-party snafus, and stolen computer devices are cited as the root cause of the other half of data breaches.

The findings indicate that many healthcare organizations and their third parties (business associates or BAs) are negligent in the handling of sensitive patient information.

They also lack the budget, people resources, and expertise to manage data breaches caused by employee negligence and evolving cyber threats, including the newest threat cited for 2016: ransomware.

Data breaches in healthcare are costing the industry $6.2 billion, according to the report, and remain consistently high in terms of volume, frequency, impact, and cost - and have yet to decline since 2010 - despite a slight increase in awareness and spending on security technology.

While recent large healthcare data breaches have heightened the industry's awareness of the growing threats to patient data and have led to an improvement in security practices and policy implementation, respondents say that not enough is being done to curtail or minimize the risks. Nearly half of healthcare organizations, and more than half of BAs, have little or no confidence that they can detect all patient data loss or theft.

Dr Larry Ponemon, chairman and founder, Ponemon Institute, said: "In the last six years of conducting this study, it's clear that efforts to safeguard patient data are not improving. More healthcare organizations are experiencing data breaches now than six years ago.

"Negligence- sloppy employee mistakes and unsecured devices - was a noted problem in the first years of this research and it continues. New cyber threats, such as ransomware, are exacerbating the problem."

Rick Kam, CIPP/US president and co-founder of ID Experts, added: "This is about real people and the exposure of their sensitive information. The lack of accountability is a big issue in the healthcare industry, with a lot of finger pointing going on.

“To get a better handle on internal data threats, healthcare organizations can start by getting back to basics with employee training, mobile device policies, regular data risk assessments, and enforceable internal procedures."