HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Forrester: Anthem-Sized Healthcare Data Breaches Will Be Commonplace in 2017

The start of the year sees many worrying predictions made about healthcare cybersecurity and potential data breaches; however, Forrester Research has painted a particularly bleak picture for 2017. The firm expects data breaches on the scale of the 2015 Anthem Inc., cyberattack will be commonplace in 2017.

2016 saw more healthcare data breaches reported to OCR than in any other year. While the severity of those breaches was nowhere near as bad as in 2015, the same cannot be said of all industries. A report published last month by Risk Based Security shows that while the total number of data breaches – across all industries – was similar in 2016 to 2015, the severity of those data breaches was much worse. Large data breaches can be expected in 2017.

Forrester suggests that as healthcare organizations grow in size – through mergers, acquisitions and partnerships – the volume of patient data that each organization stores will increase. Large repositories of healthcare data will be seen as a major prize for cybercriminals and attacks on those large healthcare organizations can be expected.

Unfortunately, when healthcare organizations acquire other companies or merge with other healthcare firms, security becomes fragmented. Fragmented security makes it much more likely that vulnerabilities will be introduced that can be exploited by hackers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The methods used to attack healthcare organizations are becoming more sophisticated and many traditional technologies are now becoming ineffective at preventing cyberattacks. Forrester also points out that many healthcare organizations are only improving their cybersecurity defenses to ensure compliance with the requirements of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA only requires cybersecurity defenses to be improved to ensure a minimum standard is met, not to ensure that patient data cannot be accessed by hackers.

Ensuring patient health information is safeguarded requires considerable investment in new technologies, yet the healthcare industry lags behind other industry sectors when it comes to cybersecurity defenses. Previous studies by Forrester have shown that healthcare organizations typically devote smaller percentages of their IT budgets to security.

Across all industries, the average percentage of IT budgets directed to security is 26%. For the healthcare industry it is 23%. However, the telecommunications sector devotes 35% of IT budgets to security. Forrester suggests that due to the highly sensitive nature of healthcare data and its value to cybercriminals, healthcare IT security budgets should be increased to a similar level.

In addition to a rise in massive healthcare data breaches, Forrester predicts that the number of IoT devices that are compromised will increase to more than 500,000 in 2017, leading to massive DDoS attacks even larger than those seen in the tail end of 2016.

A Fortune 1000 company failure is probable in 2017 as a direct result of a cybersecurity incident, while Forrester says President Trump will likely face a major cyber crisis in his first 100 days in office. The final prediction is a lack of cybersecurity talent will see CISOs forced to outsource as much as 25% of their security budgets to external providers of security services and automation.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.