HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

80% of Organizations Concerned About Large Data Breaches

Most organizations now understand that it is no longer a case of whether a breach will occur, but a matter of when their defenses will be breached, yet many organizations appear to be ill equipped to deal with a data breach when one does occur, according to a recent ID Experts survey.

The survey, conducted on behalf of insurance analyst firm Advisen, asked 203 risk assessment experts about data breach preparedness and the measures in place to deal with data breaches when they did occur. The aim of the survey was to find out more about how organizations are managing data breach risk, and how insurance coverage gaps are being addressed.

Recent large scale data breaches have got many CISOs worried that their organization will be attacked. 80% of respondents said they are worried about their organization suffering a large data breach. 17% of respondents said they had already suffered at least one data breach in the past 12 months.

The very real threat of a data breach has prompted 64% of organizations to purchase data breach insurance, yet those policies may offer little benefit. Insurance can certainly help to cover the cost of large data breaches, but most data breach insurance policies have deductibles that trigger coverage. Since the majority of data breaches are small, most companies would have to pay for the full breach response. 26% of respondents said that in more than 90% of cases their data breaches fell below their deductibles. Their policies did little to protect them from the majority of data breaches and would only pay out for low frequency breaches of a severe nature.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

A fast and efficient breach response can greatly limit the damage caused, yet only 45% of respondents said they had the necessary resources to detect all data breaches. 27% of respondents believed they had inadequate resources in place to deal with data breaches when they did occur.

It is difficult to conduct an efficient breach response if all members of the response team come from one department, yet 60% of organizations relied on their IT department to conduct the entire breach response. When breaches do occur, if a cross-section of internal personnel are not part of the breach response team it can greatly hamper the speed and efficiency of the breach response.

75% of respondents said they have developed data breach response plans; however, only 42% of respondents said their organizations had tested those plans. 41% of respondents said they did not test their breach response plans or were unsure if they did. The researchers explain that there may be a disconnect between risk management departments and technology departments, but that this could indicate organizations are simply ill equipped to deal with data breaches.

According to Jeremy Henley, director of breach services at ID Experts, “Most organizations are not prepared to manage the high-risk, high-threat landscape in which we do business.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.