Ponemon Webinar Highlights – Healthcare Data is Under Attack
A webinar to discuss the findings of The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data highlighted that healthcare data is becoming targeted by criminals more frequently than ever as patient data becomes a high value commodity on the black market. The benchmark study collected information from 90 organizations, including both covered entities and business associates.
The hosts of the webinar, Dr. Larry Ponemon of the Ponemon Institute, and Rick Kam of ID Experts, outlined the top threats targeting healthcare data, and the challenges faced by covered entities and their business associates.
The study found criminal attacks increased by 125% in the last five years, and are now the leading cause of data breaches in healthcare. The FBI reported that ePHI records can be sold for $50-$70 per record, whereas SSN and credit card details fetch less than $1, making patient information increasingly appealing as a target.
The panel stated that the number of attacks to obtain patient data for the purpose of committing medical and financial ID theft is predicted to rise in line with the huge increase in criminal attacks over the last 5 years – medical ID theft has already increased by 20% during this period.
Despite the increase in attacks, most organizations are unprepared to address new threats and lack adequate resources to protect patient data.
Both CEs and BAs were confident that they have resources in place to prevent or quickly detect unauthorized access to patient data; however, less than half agreed that they had sufficient technologies.
More concerning was that even though 65% of healthcare organizations reported multiple instances of breaches in the past two years involving the exposure, theft or misuse of patient data, more than half of all respondents were relying on ad hoc or manual processes to assess risk following a data breach.
Rick stated: “Organizations that rely on ad hoc and manual processes may end up being overrun with persistent attacks” and further commented that “BAs may be slower to take action as they have not been regulated by HIPAA for as long as healthcare providers.”
In terms of which security threats worry healthcare providers and their business associates the most, employee negligence remains the greatest concern, with cyber attacks, use of public cloud services, insecure mobile devices and BYOD making up the rest of the top 5.
The concerns about employee negligence were justified, as lost or stolen devices remain the main cause of data breaches. This figure was over 95% for both CEs and BAs. The increase in device usage and BYOD has no doubt contributed to this – the more devices there are, the more devices there are to lose.
Spear phishing and malware attacks were also cited as major concerns, and it was noted that several large attacks on business associates over the last few years were due to security details being compromised.
When it comes to the percentage of security and privacy budget allocated to incident response for healthcare organizations, the majority was spent on privacy (20-40%) with security receiving only 10%. More than half of all respondents stated that more funding and resources are needed to make it effective.
This was made clear in the section of the report that followed, which focused on how many breaches had occurred within the last two years. There was a huge disparity in the responses to this question between CEs and BAs; while just 9% of CEs reported zero breaches during this period, 41% of BAs reported zero. Rick queried whether BAs, who he considers to be more susceptible to risk, were fully aware of what constituted a breach.
The vast majority of breaches were discovered during an audit or assessment, or by an employee. After the highly publicized Target and Anthem breaches, many organizations performed audits, which discovered previously undetected breaches. Fortunately, less than a third of respondents reported a patient, legal complaint or law enforcement as the reason for breach discovery.
Root causes for data breaches varied between CEs and BAs. Where CEs reported the root causes to be 45% criminal attacks, 43% lost or stolen devices, 40% unintentional employee action and 39% 3rd party snafu as the causes, BAs reported far higher figures for unintentional employee action at 51%, 3rd party snafu at 49%, criminal attacks at 39% and lost or stolen devices at 35%.
Again, it was highlighted by Rick that some BAs may not have been aware that the root cause for the breach was a criminal attack. He went on to state that many organizations only think that cyber attacks happen to large organizations; when in reality, any sized organization can, and probably will, be a target.
Medical files were successfully targeted most often at healthcare organizations, followed by insurance and billing records and payment details. Business associates reported that insurance and billing records were the most frequent target, followed by billing and medical files.
Overall, the study highlights that criminals have recognized how valuable patient data is, and implies that they will continue to target it. The report also confirms a need to provide more training for staff to help prevent employee negligence breaches.
Ultimately, if the pace of investment is not fast enough to catch up with threats, we will continue to see more and more breaches occurring.