Criminal attacks become No. 1 cause of data breaches
Healthcare security professionals, listen up: This year, for the first time ever in a Ponemon Institute data breach report, cyberattacks topped the list as the No. 1 cause of healthcare breaches, surpassing all other categories. And the price tag? It's pretty steep.
In its fifth annual privacy and security report, Ponemon officials examined privacy and security trends for both healthcare covered entities and their business associates. And, this year, the criminal attack statistic was telling. In fact, as CEO Larry Ponemon told Healthcare IT News, in the five years the organization has been publishing its annual breach report, criminal activity has grown a whopping 125 percent.
"Historically, the main cause of the data breach was the negligence or incompetence or system glitches within the organization, not necessarily criminal activity," said Ponemon. "This year, criminal activity was the No. 1 cause," with 45 percent of respondents saying criminal attacks were at the root cause of the organization's breach. Second on the list was lost or stolen computing devices at 43 percent. Spear phishing, at 88 percent, and Web-borne malware attacks, at 78 percent, were the highest in the criminal activity category.
Moreover, despite criminal activity topping the cause list, only 40 percent of healthcare security professionals are worried most about cyberattackers. Instead the lion's share (70 percent) are most concerned with employee negligence.
The report also highlighted the staggering number of breaches healthcare organizations actually experience. We're talking 40 percent of respondents reporting five or more breaches in the past two years. And, as Ponemon pointed out, these groups can expect to pay a pretty penny for them. In fact, the average cost $2.1 million per organization, collectively costing the industry $6 billion each year.
[See also: Data attacks on healthcare flying higher.]
How organizations are catching breaches
Not by self discovery. Not at all. Rather by regular audits. Ponemon officials found that 69 percent of healthcare organizations discovered the data breach by an audit or assessment. Some 44 percent were discovered by an employee, and another 30 percent found by patient complaint.
So do healthcare organizations have adequate funding and resources to handle this uptick in breaches? Not so much, as Ponemon pointed out. Rather, the findings paint a rather "dismal picture" for funding, as the lion's share – 56 percent of healthcare organizations and 59 percent of BAs – say their incident response process doesn't have adequate funding and resources.