Ponemon: 48% of Healthcare Organizations Suffered a PHI Breach in the Past Year

A study recently published by the Ponemon Institute has revealed that almost half of healthcare organizations (48%) have experienced a data breach in the past 12 months that has resulted in the loss or exposure of the protected health information of patients.

The survey, conducted on behalf of software security firm ESET, asked 535 IT security professionals questions about cyberattacks on their organizations, the consequences of those data breaches, and cybersecurity concerns. The survey provides an insight into the current state of healthcare cybersecurity, the effect data breaches are having on healthcare organizations, and the seriousness of the current threat level.

Cyberattacks on healthcare organizations are now taking place at a rate of one every month. Hackers were able to evade intrusion prevention systems (IPS) at 49% of organization surveyed, while 37% of respondents said cyberattackers had evaded detection by their antivirus protections and other traditional security measures. A quarter said they were unsure if that was the case.

Protections against advanced persistent threats were only used by just over a quarter of healthcare companies, although 21% of respondents were unsure whether they had systems in place that could identify APTs. On average an advanced persistent threat attack took place every 3 months. The main consequence of those attacks were IT downtime and the inability to provide services, cited by 63% and 44% of respondents respectively.

Most commonly, hackers took advantage of unpatched software vulnerabilities. 78% of respondents said attacks occurred as a result of unpatched software where a patch had been available for at least 3 months. 70% said incidents had occurred as a result of unpatched software where a patch had been available for less than three months.

Three quarters of respondents said they had suffered security incidents as a result of web-borne malware attacks, while spear phishing attacks were also common, with 69% of respondents saying they had experienced such an attack.

IT security professionals are concerned about unsecured medical devices. 77% of respondents said their organizations are finding it difficult to secure the devices and rated them in the top three threats, although only 27% of respondents said medical device security featured in their cybersecurity strategy. 77% of respondents reported cyberattackers to be one of the top three threats, with system failures the biggest worry being cited by 79% of respondents.

Over the past year, employee negligence has resulted in numerous data breaches; however, the survey indicated that technology was a bigger problem. 52% of respondents said they believe the security vulnerabilities that exist in legacy systems, IoT, and cloud and mobile applications were the biggest problem, while 46% were concerned about employee negligence. HIPAA business associate agreements have been implemented and should help to ensure that vendors implement the appropriate controls to keep patient data secure, yet 45% of respondents believed those BAAs were ineffective.

DDoS attacks continue to be a problem and are eating up a significant proportion of IT department budgets. An average of $1.32 million was spent on dealing with DDoS attacks during the past year. A significant DDoS attack occurred every four months, according to 37% of respondents.

Larry Ponemon, founder and chairman of the Ponemon Institute, said “Based on our field research, healthcare organizations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks,” he also said that as a result of the significant number of attacks suffered recently, “there is more pressure than ever for healthcare organizations to refine their cybersecurity strategies.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.