Have you seen the jaw-dropping statistics from the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data? The independent study commissioned by the Ponemon Institute is confirming what many security professionals have predicted and feared: the majority of healthcare entities in the study have experienced multiple data breaches, and the breached organizations lack money or resources to manage them. Some other statistics reported include the following:
The study surveyed healthcare organizations (think: Anthem, BlueCross BlueShield, etc.) and “business associates,” who are defined as a “personal or entity that performs services for a covered entity that involves the use or disclosure of protected health information.” Surveying both groups gives great insight on security within the healthcare industry as a whole.
Awareness and prevention techniques have increased over the past year, which is evident in many of the other key findings in the study, however, clearly these actions are not enough as the number of organizations breached keeps rising.
What is it going to take for the industry to lower the number of breaches?
The healthcare industry is behind when it comes to breach prevention. Healthcare organizations should take a critical look at their individual dedication to security policies, practices, and strategies. In this blog by Trend Micro, they identify these reasons why the healthcare industry is “behind” in cybersecurity: cost issues and a focus on other elements in day-to-day business.
On the opposite side of the spectrum, cybercriminals are only becoming more sophisticated, which means it is even more important for organizations to be sure to make room for security improvements. Each entity should dive deep and thoroughly examine what is holding it back from investing (literally and figuratively) more in breach prevention practices.
One investment in breach prevention is in security professionals. Breaches could be reduced if organizations employed more technical personnel to train employees, implement programs, and monitor networks.
The survey found 57% of healthcare entities and 51% of business associates have personnel with technical expertise to identify and resolve data breaches. This is only a 3% and 0% increase respectively over the last year.
Security best practices demand continuous, vigilant monitoring; this should be considered mandatory for the healthcare industry. Employing cybersecurity personnel—professionals who are well-versed in training, tools, remediation strategies, and more—is critical for healthcare organizations.
According to this study, security budgets haven’t changed. Around 52% of budgets stayed the same while 10% of budgets decreased. Maintaining security comes at a cost, but studies have shown that remediating a breach is costlier than simply preventing a breach in the first place.
The 2014 Cost of Data Breach Study: Global Analysis found that U.S.-based companies had the largest and costliest breaches, but “having a strong security posture, incident response plan, and CISO appointment reduced the cost per record by $14.14, $12.77, and $6.59, respectively.” Business continuity plans also reduced the cost by an average of $8.98 per stolen record.
The healthcare industry needs to come from behind and catch up with other industries in security standards for the sake of our PHI. And even “catching up” might not be enough. (As we’ve seen in the past few years, large retailers, such as Target and Sony, have been victims of large breaches too.) Even so, healthcare providers and associates need to employ more security professionals and increase budgets to properly protect patients’ data.