Most healthcare organizations have been hit by multiple data breaches, but providers and others lack enough means to manage cybersecurity threats, according to a new Ponemon Institute report.
The institute's sixth annual Benchmark Study on Privacy and Security of Healthcare Data, sponsored by ID Experts, revealed that of 91 surveyed HIPAA-covered entities and 84 business associates that handle patient data, 89% suffered healthcare data breaches.
Some 50% of healthcare data breaches were caused by criminal cyberattacks, a significant increase since the surveys began six years ago and an indication of the high black-market value of patient health records.
While most of the healthcare data breaches were relatively small, containing fewer than 500 records, "some of these breaches can be very large and very costly, and these organizations don't have the resources, budget, staff or in-house expertise to actually have a strong security posture," Larry Ponemon, chairman and founder of the institute, based in Traverse City, Mich., told SearchHealthIT.
Larry Ponemonchairman and founder, Ponemon Institute
"The healthcare industry is viewed as a soft target," Ponemon added. "It's a perfect storm for insecurity and an opportunity for cybercriminals."
The May 2016 Ponemon study comes amid a flurry of other surveys and reports about the mushrooming wave of healthcare data breaches, including IBM's 2016 Cyber Security Intelligence Index, which reported that healthcare supplanted financial targets last year as the industry with the most data breaches.
Healthcare data breaches expensive
The Ponemon report, which covers 2014 and 2015, found the estimated average cost of a data breach to healthcare organizations was more than $2.2 million. For business associates that handle protected health information, the cost was more than $1 million.
The report authors also looked ahead to the top cyberthreats facing healthcare organizations and business associates in 2016. They are ransomware, malware and denial-of-service attacks.
Meanwhile, the survey found healthcare organizations and business associates are significantly concerned about employee negligence, mobile device insecurity, use of public cloud and employee-owned devices, and also are increasingly worried about mobile app security.
Ransomware on the rise
As for ransomware -- perhaps the most feared current form of cyberattack in healthcare -- it differs from breach-causing attacks in that it poses a direct threat to patient care and safety, Ponemon noted.
When ransomware attackers encrypt and lock up provider computer systems, as they recently did at MedStar Health System in Washington, D.C., and Hollywood Presbyterian Medical Center in Los Angeles, they essentially prevent the hospital from treating patients.
While organizations can try to head off such attacks by whitelisting or blacklisting known ransomware programs, or using other preventive measures, those strategies usually have limited success, said David Ross, vice president and general manager of commercial cyber services at General Dynamics Corp., based in Falls Church, Va.
"Many healthcare organizations really neglect the recovery phase," Ross said. "Hospitals and healthcare organizations have to decide how much time they can afford to not be in business. Is it an hour, a day, a week?"
Healthcare organizations should also set policies on such controversial issues as whether to pay cyber ransoms. Many ransomware victims pay to have their data unlocked, looking at a business expense, Ross noted.
"That's a philosophical question for the organization," he said.
Business associates bound by HIPAA
As for business associates, which were included in the Ponemon study for the first time last year, many don't even know they are now covered under HIPAA and are subject to audit by the Department of Health and Human Services' Office for Civil Rights (OCR), noted Rick Kam, president of ID Experts, based in Portland, Ore.
One area OCR has indicated it will examine in audits is whether business associates have negotiated and signed business-associate agreements with healthcare organizations whose data they handle. Business associates can include cloud hosting services, insurers, claims processors, infusion centers and medical device companies.
"In many cases, they're finding they haven't been," Kam said, referring to the mandatory agreements.
No Sarbanes-Oxley for healthcare
Also, Kam noted that healthcare has no equivalent to the stringent criminal liability framework that the Sarbanes-Oxley Act provided for the financial services industry. CFOs of companies have to sign off that the data they are reporting is accurate.
"So, in the case of healthcare, we have a wonderful foundation with the HIPAA and HITECH security and privacy rules," Kam said. HITECH is a 2009 law that created the meaningful use program for EHRs and required healthcare organizations to do security risk analyses.
"We only need the CFO to sign off on the fact that they did review the risk analysis and had applied resources to putting an appropriate security plan in place," Kam said. "Either we'd see a lot of CFOs in jail, or a major improvement in security."
Healthcare security compliance top purchasing priority
Audit protocol details HIPAA compliance requirements