The $6 Billion Medical Liability Epidemic: Data Breaches

June 15, 2015

Cybercriminals are out to get the healthcare industry.

Healthcare facilities and professionals are facing a surge in data breaches, security incidents and criminal attacks that are exposing millions of patients’ medical records to abuse and medical providers to liability.

Perhaps the scariest trend is that the cyber attacks within the medical field are increasingly the result of criminal activity rather than accidents or human errors.

Data breaches are costing the healthcare industry $6 billion annually, while the average economic impact of data breaches per organization is $2.1 million, according to the most recent benchmark study on healthcare privacy and security conducted by the Ponemon Institute and sponsored by ID Experts.

The study found that criminal attacks in healthcare are up 125 percent since 2010 and are now the leading cause of data breach, with nearly 45 percent of data breaches in healthcare a result of criminal activity.

Unprepared

Few healthcare firms are immune. Nearly 90 percent of healthcare providers suffered breaches in the past two years, half of them criminal in nature, the report found.

Medical files, as well as billing and insurance records, are the top stolen targets.

“While employee negligence and lost/stolen devices continue to be primary causes of data breaches, criminal attacks are now the number-one cause,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute.

Yet, according to the study, only 40 percent of healthcare organizations are concerned about cyber attacks.

The findings also show that most healthcare organizations are unprepared to address this cyber threat environment.

All healthcare organizations, regardless of size, are at risk for data breach. Ninety-one percent of healthcare organizations had one data breach; 39 percent experienced two to five data breaches; 40 percent had more than five over the past two years. In comparison, 59 percent of their business associates experienced data breaches.

According to the FBI, criminals are targeting the healthcare sector because personal, credit and protected health information are accessible in one place, which translates into a high return when sold.

The size of an organization is no shield against a breach because patient data can be easily transmitted and exposed, says ID Experts.

Those especially vulnerable are healthcare organizations including hospitals, clinics, private or public healthcare providers and their business associates, which include patient billing, health plans, claims processing, and cloud services.

Small- to middle-market organizations are at greater risk for data breach as they have limited security and privacy processes, personnel, technology, and budgets, the report says.

Medical organizations say they lack the resources to fight the cyber epidemic. More than half of healthcare organizations and half of their business associates don’t believe their incident response process has adequate funding. One-third of respondents don’t even have an incident response process in place. The majority of them fail to perform a risk assessment for security incidents, despite a federal mandate to do so.

Incident Reporting

There are many more security incidents than data breaches. Under federal law, all security incidents need to be assessed to determine if they are data breaches that require reporting. The study indicates that organizations are not thoroughly assessing their security incidents. In fact, one-third do not have an incident response process.

“A breach is a breach, no matter how small. Whether 5,000,000, 5,000, or 50 individuals are affected, the impact to each and every person is a big deal,” said Rick Kam, co-founder of ID Experts. “How many more individuals could be at risk due to unreported data breaches?”