Hackers seeking access to healthcare records are getting more aggressive and sophisticated, but most healthcare organizations are not increasing their IT security budgets to meet the threat, according to the results of the sixth-annual Benchmark Study on Privacy & Security of Healthcare Data.
Fifty-two percent of the healthcare organizations and 50 percent of healthcare business associates surveyed by Traverse City, Michigan-based Ponemon Institute said they had not increased their cybersecurity budgets in the last year. In fact, 10 percent of healthcare organizations and 11 percent of business associates decreased their security budgets.
With the Rise of AI, What IP Disputes in Healthcare Are Likely to Emerge?
Munck Wilson Mandala Partner Greg Howison shared his perspective on some of the legal ramifications around AI, IP, connected devices and the data they generate, in response to emailed questions.
“The healthcare industry is under attack,” said Larry Ponemon, chairman and founder of the research think tank focusing on privacy and data protection. “But it really hasn’t moved the needle all that much.”
While they’re not investing more in security, 57 percent of healthcare organizations and 52 percent of business associates report having insurance policies that will cover at least $5 million worth breach-related costs.
Criminals are getting more inventive and brazen, as witnessed by the hackers who held the data at Hollywood Presbyterian Medical Center for ransom after accessing it from connected medical devices. But healthcare is still struggling with breaches caused by employee negligence and having hackers gain access to sensitive data through a worker’s failure to follow security procedures or use of an unsecured mobile device or public cloud service.
When asked their main security concern, 69 percent of healthcare respondents said negligent or careless employees, 45 percent said cyber attackers, and 30 percent said staff using insecure mobile devices. The concern is well-founded, as 36 percent of healthcare organizations and 55 percent of business associates named unintentional employee action as the cause of a breach.
A Personalized Approach to Medication Nonadherence
At the Abarca Forward conference earlier this year, George Van Antwerp, managing director at Deloitte, discussed how social determinants of health and a personalized member experience can improve medication adherence and health outcomes.
Ponemon noted that, in healthcare, the focus is on treating patients and clinicians are under tremendous pressure to “get the job done,” so sometimes there is an odd tradeoff where people have to balance between productivity and ensuring that all security protocols are followed.
Accountability for breaches appears to be missing, as 41 percent of healthcare organizations blamed a third party for a breach, as did 52 percent of business associates.
Rick Kam, president of Portland, Oregon-based ID Experts, which sponsored the study, said he was a bit surprised by the “finger pointing” going on between organizations, business associates and third-party vendors over who was at fault.
“I thought everybody was in the same boat,” Kam said.
A tide of criminal activity is raising those boats. The percent of breaches connected to cybercrime has increased to about 50 percent this year from 40 percent last year and 20 percent the year before, Kam said.
“The bad guys get in and use network administration tools to map out where the assets in an organization are, such as the electronic medical record system, billing system and insurance claims,” Kam said, adding that criminals then encrypt the data, rendering it impossible to access. “When users can’t get access, criminals provide the key — for a price.”
Almost 90 percent of the healthcare organizations surveyed had been the victim of a data breach in the past two years. Most breaches are still small and involve the breach of fewer than 500 records, but 45 percent have had more than five breaches in the last two years.
The Department of Health and Human Services Office for Civil Rights maintains a cyber “wall of shame” listing more than 15,500 data breaches involving at least 500 records. With so many breaches occurring, Ponemon said the shame “doesn’t stick” anymore.
Breaches cost organizations a little over $1 million a year, Ponemon said. He explained that, large or small, the expenses add up, as there are investigative and remediation costs, legal fees, supportive service to victims and labor expenses involved.
The survey include data from 91 healthcare organizations and 84 business associates of healthcare organizations.
Photo: Andrew Harrer/Bloomberg via Getty Images
