HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years.

The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 million in annual revenue.

47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years.

Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach in the past two years that involved ransomware. 41% of those respondents said they paid the ransom to unlock their data.

70% of organizations that experienced at least one security breach in the past 2 years said a malicious actor hacked their system as a result of an unaddressed vulnerability, 54% of respondents said they had experienced a single-system based malware incident and 36% said employees had responded to phishing emails resulting in a system compromise. 26% said they had experienced a breach of a third-party device or service, while 20% said they had experienced a breach as a result of an insider.

The probability of organizations experiencing a security breach has increased considerably in the past two years, yet there was a decrease in organizations that believed cybersecurity was a board matter. In 2015, 87% of organizations believed cybersecurity was a board issue. This year, only 79% of respondents said they thought cybersecurity was a C-level issue.

KPMG Healthcare Advisory Leader Dion Sheidy said, “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate.”

Investment in cybersecurity protections has also decreased. In 2015, 88% of organizations said they had invested in information protection measures in the past 12 months. This year, only 66% said they had made such an investment.

When it comes to investment, organizations appear to be favoring technology rather than staff. Only 15% believe increases in staff numbers and higher quality staff are important for improving their security posture.

Only 41% of respondents said they were planning on investing in hiring or training staff, with 76% saying they were planning on investment more in technology. Budgets for training staff were low, with a quarter of respondents saying they were investing less than $1,000 per cybersecurity team member. 83% said improvements would be made to policies and data access controls and processes.

KPMG Cyber Security Group in Healthcare & Life Sciences Leader Michael Ebert said, “A solid cyber security program needs people, processes and technology and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach,” explaining that “Software can only protect you so far and staff is important when it comes time to respond to a data breach.

When asked what they thought the main targeted asset was, only 30% believed it was patient data. Financial information was seen as the data most likely targeted (69%), followed by patient/clinical research (63%) competitive market analysis (49%) and the PII of employees (45%).

The biggest threats were seen to be state-sponsored actors (53%), individual hackers (49%) and hactivists (47%).

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.