2015 has been called the “Year of the Healthcare Data Breach,” and the year is only half over. The average cost of a data breach in healthcare is $5.9 million, higher than in any other industry. The 2015 HIMSS Cybersecurity Survey recently revealed that 68% of healthcare organizations experienced a significant security incident in the past year. Cybersecurity was identified as an increased priority in 87% of organizations, as cyber attacks become more common.
2015 has oft been cited as the “Year of the Healthcare Data Breach,” and sure enough the data for the year has been supporting this. The average cost of a data breach is highest in healthcare than in any other industry, up now to $5.9 million per breach. With healthcare data breaches on the rise, being more targeted now than at any other time, and with the cost per breach rising, healthcare is being set a stiff challenge to protect sensitive data. Compounding this challenge is the fact that healthcare organizations face more “risky” scenarios than ever before.
The Ponemon Institute and IBM recently released the 2015 Cost of Data Breach Study which indicates that costs associated with data breaches continue to rise. The cost of a data breach in 2014 was $154 per record, up from $145 in 2013, a 6% increase. The average cost of a data breach to an organization increased 23% over the past 2 years to $3.79 million. In the case of mega-breaches, those which affected millions of people, the costs are even higher (and are not reflected in these average costs).
There’s no question that healthcare data breaches are reaching an all-time high. With health records fetching as much as 10 times the value of credit card data on the black market, cybercriminals are targeting healthcare organizations now more than ever. 2015 is poised to become the “year of the hack” in healthcare, with cybercriminals exploiting any vulnerability they can find, be it an unmatched system or an insecure endpoint.
David Blumenthal and Deven McGraw recently wrote an editorial article for The Journal of the American Medical Association on Keeping Personal Health Information Safe: The Importance of Good Data Hygiene. The article re-enforces what many security experts are saying, and what we also advocate here at Absolute, that most data breaches result from mundane problems: from poor “data hygiene,” if you will.
With the NHS care.data initiative finally set to launch, and an ever-increasing drive to increase mobility across the NHS, it will soon be much easier to share data securely across the NHS. These developments have the potential to transform health service delivery on many fronts.
The HIPAA Security Rule, created in 2003, establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law, addressing some of the privacy and security concerns associated with the electronic transmission of health information. While the HITECH Act allows for greater enforcement of data breaches, what it does not do is strengthen the security standards by which the healthcare industry is held accountable. The question is: should HIPAA be updated so that the minimum standards are higher?
The Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, compiled by Ponemon Institute on behalf of ID Experts, shows the evolution of healthcare data breaches that reflect the increased value of healthcare data. The reality is that healthcare data is so valuable now that cybercriminals have shifted their attacks to the healthcare industry, making criminal attacks the top threat to healthcare data. Though this sounds terrifying, the good news is that people, process and technology are still at the core of preventing these kinds of data breaches from happening.