Breaches 05-15-2015

Criminal Hacks Are the Main Cause of Healthcare Breaches, Study Says

Ashley Call

The results of the Ponemon Institute’s recent study, Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, reinforce what we already knew about healthcare data breaches—they’re rising. The Ponemon Institute reveals that “more than 90 percent of healthcare organizations represented in this study had a data breach, and 40 percent had more than five data breaches over the past two years.” Very few healthcare companies have never experienced a breach.

Although many experts have pointed to the healthcare industry’s lack of security infrastructure as the leading cause for increasing hacks, this study by the Ponemon Institute argues that lack of infrastructure may no longer be the leading cause for healthcare data breaches. “For the first time, criminal attacks are the number one cause of data breaches in healthcare.” With a 125% increase in criminal attacks against healthcare organizations within the past 5 years, the time for security improvements in the healthcare industry is pressing.

Why Hackers Are Targeting Healthcare Data

The Ponemon Institute’s study points out that cyber criminals are targeting the healthcare industry for two main reasons, namely that:

1. “Healthcare organizations manage a treasure trove of financially lucrative personal information”:

According to this article by the ICIT, healthcare industries are a target for hackers because the sensitive information they maintain (e.g., insurance IDs, social security numbers, medical records, and contact information) can be sold for up to 20x more money than credit card information alone. The value of the data stored by healthcare organizations makes these organizations a desirable target for many hackers.

2. “Healthcare organizations do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect patient data.”

As we wrote in an earlier blog post after the Anthem breach, Avivah Litah (Gartner cybersecurity analyst) has said that the healthcare industry is estimated to be 10 years behind other industries in terms of data security. Furthermore, the Ponemon Institute reports that only 49% of healthcare organizations reported that they have “technologies to effectively prevent or quickly detect unauthorized patient data access, loss or theft,” and only 33% have “resources to prevent or quickly detect unauthorized patient data access, loss or theft.”

While Consequences Are High, Awareness Leads to Solutions

Each data breach, the Ponemon Institute estimates, costs more than $2.1 million, and collectively the industry spends $6 billion to recover from these devastating data hacks. In addition to the damage these hacks do on the organizational level, individuals also suffer as they spend an average of $13,500 to recover their credit, repay their health providers, and correct inaccuracies in their health records. The collateral damage caused by a breach in the healthcare industry is arguably much greater than a breach in any other industry.

Just as lack of security isn't tolerated in other industries, the healthcare industry has the responsibility to secure its data. Despite all that has been revealed in the Ponemon Institute’s study, increased awareness can only contribute to improved security for the healthcare industry.

We will see the vulnerability of healthcare companies decrease and the defense against hackers grow stronger as healthcare companies become more aware, shift priorities, and begin investing in better security technologies and practices. As infosec leaders, DigiCert believes  data security should be the highest priority in every industry. It is time for healthcare to catch up with other industries to ensure these information breaches become a thing of the past.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

10-31-2024

Announcing the GA release of DigiCert Device Trust Manager

10-29-2024

Solving the revocation gap with short-lived certificates