Data Breaches Have Occurred in the Majority of Healthcare Organizations
A new study from the Ponemon Institute confirms that most healthcare organizations have been the victims of cyber attacks, placing sensitive patient data such as Social Security numbers and insurance information in the hands of identity thieves and organized criminals. With more and more healthcare organizations turning to managed service providers (MSPs) and cloud-based file sharing to store and administer their substantial number of patient records, healthcare organizations’ third-party vendors are increasingly held responsible for complying with industry standards for data protection.
The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data investigated data breaches among 90 healthcare organizations and 88 of their business associates. Their findings show a shocking increase in cyberattacks and identity theft across the healthcare industry.
Criminal Attacks the Number One Cause of Data Breaches
In the past, the majority of data breaches in the healthcare industry were the result of a loss of assets, including laptops, documents, desktop computers, and flash drives, which were most commonly stolen or lost from an office or personal vehicle.
This year’s study, however, reported that this trend has reversed, with criminal attacks increasing more than 125 percent over the past five years. According to the study, “45 percent of reporting organizations say that the root cause of their breach was a criminal attack, and another twelve name a ‘malicious insider.’” Third parties like MSPs reported that 39 percent of data breaches were due to a criminal attack and ten percent to a “malicious insider.”
Security incidents were by-and-large the result of criminal activity for both third parties (83 percent) and healthcare organizations (78 percent). Most attacks were conducted via malware. Over the past two years, 87 percent of business associates and 65 percent of healthcare organizations had experienced a cyber attack, while 41 percent of BAs and 54 percent of HOs experienced a paper-based security attack.
Organized Cybercriminals Increasingly Target Healthcare Data
Criminal organizations are turning their focus towards obtaining healthcare records, which contain much of the information needed to steal identities. Social Security numbers, addresses, and billing information are bought and sold on the online black market to commit fraud and other criminal activities.
Medical identity theft has increased by 22 percent over just the past year. Nearly 2.3 million Americans have been the victims of medical identity theft, which costs individuals an average of $13,500 to resolve. Experts predict that medical identity theft will cost the industry $5.6 billion in 2015.
Implications and Solutions for MSPs
The Ponemon study reveals that it is not only healthcare organizations, but also their third-party vendors that are under attack by cybercriminals. In fact, more BAs than healthcare organizations experienced electronic information-based security attacks over the past two years. Protecting patient information has become one of the core responsibilities of cloud-based MSPs.
Unfortunately, about 50 percent of third-party vendors and healthcare organizations cited a lack of funding and resources when it came to security, and nearly two-thirds do not provide assistance to victims of data breaches.
So, what can MSPs do to protect their businesses and those of their clients?
PFU Systems security expert Carmine Clementelli advises IT professionals to prioritize prevention. MSPs can protect networks from intrusion by vigilantly monitoring who is accessing the network, quickly detecting new viruses and malware, and managing permissions and risks at both the data and subnet levels.