Late last year, Gemalto released a report that found that the health care industry leads the way in data breaches. As Healthcare IT News reported then:
The key finding is perhaps that the healthcare industry had 34 percent of its total records breached, amounting to 84 million data records compromised, the highest rate of any industry. Government accounted for the second highest rate of breaches at 77.2 million records lost, or 31.4 percent.
I bring up last year’s numbers because a new report from Ponemon Institute shows the seriousness of cybersecurity failures in the health care industry. According to the study, an overwhelming number of health care organizations – 89 percent – admit they were the victim of a data breach, and half of those attacks are caused by cybercriminals, an increase of 5 percent from last year’s report. The other half are from the usual suspects – employee mistakes, stolen or lost devices, and third-party issues.
Also, we’re seeing that the health care organizations continue to struggle with security issues even after they’ve been breached: Seventy-nine percent of organizations claim they have been breached twice and nearly half said there have been multiple breaches.
I suspect health care cybersecurity is going to get worse before it gets better. It’s not just about data breaches. It’s about ransomware that is shutting down hospital computer systems and slowing down or preventing care. It’s about the rising number of medical devices that rely on Internet connections that can be manipulated. As Dylan Sachs, director of Identity Theft and Anti-Phishing efforts at BrandProtect, said to me in an email comment:
We’ve recently witnessed a wave of elaborate attacks designed specifically to penetrate health care organizations. It seems clear that security measures must evolve to include aggressive, proactive monitoring for suspicious activities outside traditional security perimeters. This approach can provide early warnings about potential spearphishing, ransomware, or other BEC attacks and allow organizations to take immediate steps to mitigate risk and stop the threats.
I agree with the opinion of Craig Kensek, security expert with Lastline, who told me that if we want to improve health care security, it has to be a coordinated effort between health care organizations. Every doctor who sends/receives patient records is a potential source of data loss, either where data is stored or while it’s in transit.
What concerns me is that this is Ponemon’s sixth study of the security and privacy of health care data and things seem to be getting worse. Despite how much more we’ve learned about the need for better security practices and how often this industry has been targeted by cybercriminals, there has been no decline of the number of breaches – or the money lost because of them. The reason for this? Rick Kam, CIPP/US president and co-founder of ID Experts, which co-sponsored the report, may have the answer, stating in a release about the study:
The lack of accountability is a big issue in the healthcare industry, with a lot of finger-pointing going on. To get a better handle on internal data threats, healthcare organizations can start by getting back to basics with employee training, mobile device policies, regular data risk assessments, and enforceable internal procedures.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba.