For six years, Ponemon Institute has released its annual benchmark study on privacy and security of healthcare data. This year's report indicates cyberattacks remain top of mind for healthcare organizations, but internal negligence is still a major concern.
The study gathered responses from 175 healthcare organizations and business associates from March to April 2016.
Here are eight key findings from this year's study.
1. Interestingly, healthcare covered entities and business associates are quick to place much of the blame for healthcare being a targeted industry on the other group. When asked why healthcare and business associates believe they have a target on their backs, 51 percent of covered entities said healthcare organizations are not vigilant in ensuring their partners and other third parties protect patient information, while 32 percent of business associates said the same. On the other hand, 54 percent of business associates said healthcare employees are negligent in the handling of patient information, while 35 percent of covered entities said the same.
2. The increase in industry breaches spurred organizations to enhance cyber defenses. Sixty-one percent of covered entities and 53 percent of business associates said they have become more vigilant in ensuring partners have the necessary precautions in place to safeguard information. Fifty-eight percent of covered entities and 55 percent of business associates have increased investments in technology to help mitigate breaches.
3. Covered entities most worry about employee negligence as a security threat (69 percent), followed by cyber attackers (45 percent), mobile device insecurity (30 percent), use of public cloud services (29 percent) and malicious insiders (24 percent). Responders were permitted to select up to three responses.
4. Business associates also most worry about employee negligence as a security threat (53 percent), followed by use of public cloud services (46 percent), cyber attackers (#6 percent), mobile device security (35 percent) and malicious insiders (28 percent). Responders were permitted to select up to three responses.
5. Most healthcare organizations are concerned about denial of service attacks against their organizations (48 percent), followed closely by ransomware attacks (44 percent). Malware, phishing, advanced persistent threats, rogue software and password attacks followed.
6. Of healthcare organizations that have an incident response plan, 60 percent said they allocate between 10 and 20 percent of their security budget to data breach response, and 30 percent said they allocate between 10 and 20 percent of their privacy budget to data breach response.
7. Of the surveyed organizations, 89 percent experienced at least one breach involving the loss or theft of patient data in the past two years; 45 percent suffered more than five breaches.
8. The average costs of a data breach for healthcare organizations is approximately $2.2 million, but 47 percent or organizations reported having little or no confidence that they can detect patient data loss or theft.
"In the last six years of conducting this study, it's clear that efforts to safeguard patient data are not improving," said Larry Ponemon, PhD, chairman and founder of Ponemon Institute, in a statement. "Negligence — sloppy employee mistakes and unsecured devices — was a noted problem in the first years of this research, and it continues. New cyber threats, such as ransomware, are exacerbating the problem."
More articles on data breaches:
Data breach at Iowa hospital affects 1,620
13 latest data breaches
Healthcare data breaches and where to go from here: 9 report takeaways