Cybercriminals and nation-state actors are indeed targeting healthcare organizations for their valuable data: cyberattacks and physical criminal activity now have officially surpassed insider negligence as the main cause of a data breach in healthcare organizations.
The Ponemon Institute`s new Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, published today, found that close to 45% of all data breaches in healthcare are due to criminal activity such as cybercriminal and nation-state hacks, malicious insiders, and physical theft, a 125% increase in such activity over the past five years. That`s a first, since employee or insider negligence -- user errors, lost laptops and thumb drives, etc. -- accounted for the majority of breaches last year and in years past, according to Ponemon.
More than 90% of healthcare organizations surveyed by Ponemon in its report has suffered at least one data breach exposing patient data over the past two years, while 39% had been hit by two- to five breaches, and 40% had suffered more than five breaches during that timeframe. Security incidents (without an actual data breach) occurred at 78% of healthcare organizations.
About 45% of those breaches came via criminal attacks; 43% by lost or stolen computing devices; 40% via employee mistakes; and 12% via a malicious insider.
The cost of all of this healthcare breach-mania? Some $6 billion per year, with an average cost of $2.1 million per healthcare organization, according to the report, which was commissioned by ID Experts.
`For the first time, criminal attacks constitute the number one root cause of data breaches, versus user negligence/incompetence or system glitches,` says Larry Ponemon, chairman and founder of Ponemon Institute. `Ninety-one percent had one or more breach in the last two years, and some of these are tiny, less than 100 records, but they are still not trivial.`
Healthcare organizations also are regularly battling security incidents, such as malware infections. Some 65% say they were hit with cyberattacks in the past two years, and half suffered incidents involving paper-based security incidents. They`re not confident in their incident response capabilities, either, with more than half saying their IR isn`t adequately funded or manned. And one-third don`t have an IR plan at all.
Lost and stolen devices were a problem at 96% of healthcare organizations in the study, as was spear phishing (88%).
The report also surveyed business partners and associates of healthcare organizations. Nearly 60% of these businesses -- patient billing, claims processing, health plan, and cloud services, for example -- had been hit by data breaches, 14% of which had suffered two- to five breaches, and 15%, more than five during a two-year period. More than 80% of them were hit by Web-based malware attacks.
Rick Kam, president and co-founder of ID Experts, says the bad guys are going after healthcare records because they are so valuable. While a stolen credit card can go for a dollor or less in the underground, a patient`s pilfered health credentials can bring in as much as $10, according to some experts.
`Data breaches like Anthem`s are rare events,` Ponemon says. `The types here in this report are mostly smaller-sized breaches.`
The bad guys are after insurance information for insurance fraud, as well as employee data from the healthcare providers. `We`ve seen a huge increase in` abuse of employee data, ID Experts` Kam says. `In the last month and a half, we`ve seen a 100% increase in tax fraud.`
Read original article
No comments:
Post a Comment