A new study out by the Ponemon Institute finds that criminal attacks, rather than accidents or technological failures, are the leading cause of data breaches. The report finds that cyber-criminals are increasingly targeting health care providers and business associates for the vast amounts of personal data held by these entities, and that these attacks are costing the health care system potentially billions of dollars.

 

For the past five years, the Ponemon Institute has conducted a study of privacy and security trends of patient data in the health care industry. In its 2015 report, the Institute found, for the first time, that criminal cyber-attacks, such as web-borne malware attacks, were outpacing lost and stolen devices as the leading source of data breaches. In fact, Ponemon estimates that these attacks are up 125% from five years ago, while medical identity theft has nearly doubled in that time period. The Institute writes that “cyber criminals recognize two critical facts of the healthcare industry: 1) healthcare organizations manage a treasure trove of financially lucrative personal information and 2) health care organizations do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect patient data.”

The Institute also found that employee negligence remains a considerable risk to personal information held by health care organizations and business associates, as approximately 95% of respondents to the study reported a security incident involving a lost or stolen device.

These attacks are extremely costly to health care organizations and consumers alike. Using the average cost of a data breach experienced by the health care organizations involved in its study, the Institute estimates that data breaches are costing the health care industry $6 billion a year.

The Ponemon Institute study underscores the fact that, whether or not they must comply with HIPAA, all health organizations that maintain personally identifiable information are at risk of a data breach arising from a cyber-attack. HIPAA requires covered entities and business associates to undertake regular risk assessments to identify areas of potential vulnerability and assess the organization’s compliance with the Security Rule. The Institute, however, concludes that entities of all sizes are not investing sufficient resources in technologies to adequately protect personal health information.

The study can be downloaded at this link.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Covington Digital Health Team

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with…

Stakeholders across the healthcare, technology and communications industries seek to harness the power of data and information technology to improve the effectiveness and efficiency of their products, solutions and services, create new and cutting-edge innovations, and achieve better outcomes for patients. Partnering with lawyers who understand how the regulatory, IP, and commercial pieces of the digital health puzzle fit together is essential. Covington offers unsurpassed breadth and depth of expertise and experience concerning the legal, regulatory, and policy issues that affect digital health products and services. To learn more, click here.