A new Ponemon Institute report (Fifth Annual Benchmark study on Privacy & Security of Healthcare Data) has found that criminal attacks have become the main cause of health care data breaches for the first time.
“Criminal attacks on healthcare organizations are up 125% compared to five years ago”, Ponemon notes, and “45% of [breached] healthcare organizations say the root cause of the data breach was a criminal attack”.
Among the report’s other findings:
- 65% of health care organizations report that their organizations experienced electronic information-based security incidents over the past two years.
- Web-borne malware attacks caused security incidents for 78% of health care organizations.
- More than 90% of health care organizations had a data breach, and 40% had more than five data breaches over the past two years.
- The average cost of a data breach for health care organizations is estimated to be more than $2.1 million.
- Data breaches could be costing the health care industry $6 billion.
- Despite the statistical evidence of increasing threats, organizations are not changing their security behavior: only 40% of health care organizations are “concerned about cyber attackers”.
The report concludes that “[even] though organizations are slowly increasing their budgets and resources to protect healthcare data, they continue to believe not enough investment is being made to meet the changing threat landscape.”
The Health Insurance Portability and Accountability Act (HIPAA)
Information security is a legal as well as moral obligation for health care organizations, which are bound by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA’s Administrative Simplification rules regulate the use and disclosure of Protected Health Information (PHI) by covered entities.
HIPAA covered entities can ensure the security of the information they hold by implementing an information security management system (ISMS), as specified by the international best-practice standard ISO 27001.
By virtue of its all-inclusive approach, ISO 27001 encapsulates the information security elements of HIPAA by providing an auditable ISMS designed for continual improvement.
It is often the case that companies will also achieve compliance with a host of other related legislative frameworks simply by achieving ISO 27001 registration. In addition to this, the external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
Medical identity theft has nearly doubled in the last five years, from 1.4 million adult victims to over 2.3 million in 2014. Civil monetary penalties (CMPs) for HIPAA violations can be as much as $50,000 per compromised record, up to an annual maximum of $1.5 million, and criminal penalties can incur fines of up to $250,000 and ten years’ imprisonment.
Organizations that have publicly announced health care data breaches so far this year include Partners HealthCare, Oregon’s Health CO-OP, Saint Agnes Health Care Inc., Seton family of Hospitals, Indiana State Medical Association, Amedisys, Premera Blue Cross, LifeWise, Advantage Dental, Anthem, Lone Star Circle of Care, UMass Memorial Medical Group, California Pacific Medical Center, St Peter’s Health Partners, the US Postal Service, and TRH Health Plan.