New Study Reveals Majority of Healthcare Organizations Lack Resources to Manage Data Breaches
The “Sixth Annual Benchmark Study on Privacy & Security” by the Ponemon Institute reveals that healthcare organizations have experienced an increased frequency of breaches. Many of them lack the money and resources to manage data breaches caused by evolving cyber threats, preventable mistakes, and other dangers. The study surveyed healthcare organizations and business associates (BA) to get a more in-depth look at the extent of cyber attacks occurring. A business associate is a person or entity that performs services for a covered entity that involves the use or disclosure of protected health information (PHI), according to the U.S. Department of Health & Human Services (HHS).
The results from the study indicate that data breaches could be costing the healthcare industry an estimated $6.2 billion per year. Nearly 90% of healthcare organizations represented in this study experienced a data breach in the past two years, and nearly half, or 45%, had more than five data breaches in the same time period. The majority of these breaches were small, containing fewer than 500 records.
Moreover, over the past two years the average cost of a data breach, according to the study, for healthcare organizations is estimated to be more than $2.2 million – with no healthcare organization, regardless of size, immune from a data breach. Over the past two years, the average cost of a data breach to BAs represented in this research is more than $1 million. Despite this, about half of all organizations have little or no confidence that they can detect all patient data loss or theft.
Criminal attacks (50%) continue to top the list of causes of data breaches in the healthcare industry, with ransomware, malware, and denial-of-service (DOS) attacks leading the cyber threats facing healthcare organizations in 2016. Healthcare organizations and BAs alike are also increasingly concerned about employee negligence, mobile device insecurity, use of public cloud services, and employee-owned mobile devices—all threats to sensitive and confidential information.
Internal problems such as errors — unintentional employee actions, third-party snafus, and stolen computing devices — are also a problem and account for a significant percentage of data breaches (35% of healthcare organizations, 55% for BAs). Even faced with this reality, the study shows that firms are negligent in the handling of patient information. In fact, more than half of the respondents in the survey say they are not vigilant in ensuring partners and third parties protect patient information. They have not invested in the technologies necessary to mitigate a data breach, nor have they hired enough skilled IT security practitioners. In addition, 59% of healthcare organizations and 60% of BAs don’t think or are unsure that their organization’s security budget is sufficient to curtail or minimize data breaches. Similarly, more than half of healthcare organizations, or 56%, do not believe their incident response process has adequate funding and resources.
Study Also Looks at Cyber Liability Insurance for Healthcare Organizations
The study also looked at how many healthcare organizations were purchasing data breach insurance to help address the costs following a cyber attack. According to the study, one-third of healthcare organizations and 29% of BAs have a Cyber Liability insurance policy. Fifty-seven percent (57%) of healthcare organizations and 52% of business associates report they have purchased up to $5 million in coverage. Insurance typically covers external attacks by cyber criminals (56% of healthcare respondents and 57% of BAs) and incidents affecting business partners, vendors or other third parties that have access to the organization’s information assets (48% of healthcare respondents and 52% of BAs). Legal defense and forensics and investigative costs are also most often covered under the policies they purchase. Seventy-one percent (71%) of healthcare respondents and 73% of BAs say their insurance will cover legal defense costs and 65% of healthcare respondents and 68% of business associate respondents say forensics and investigative costs are covered. In addition, when asked what services the cyber insurer provides in addition to cost coverage, most respondents (78% of healthcare and 80% of BAs) say their organization provides credit monitoring services and identity protection services for data breach victims (74% of healthcare respondents and 79% of BAs).
Caitlin Morgan offers Cyber Liability solutions to healthcare organizations and can provide the coverage they need to respond to first and third-party losses. We specialize in insuring nursing homes, assisted living facilities, home healthcare, medical facilities and others, and can assist you with procuring the coverage these insureds need to protect them from the significant costs arising from a breach. Contact us at 877.226.1027.