Ponemon: 89 Percent of Healthcare Organizations Have Experienced a Data Breach

This week saw the publication of the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data. This year’s study shows 89% of healthcare organizations have now experienced a data breach while 60% of business associates of healthcare organizations have experienced a breach of healthcare data.


All of these healthcare data breaches are taking their toll and are costing the industry dearly. An estimated $6.2 billion is being spend on resolving healthcare data breaches.

This year’s report shows that cybercriminals caused 50% of the healthcare data breaches reported over the course of the last 12 months; an increase of 5% year on year. The remaining data breaches were caused by mistakes made by healthcare employees and their vendors.

Frequency and Severity of Cyberattacks Continue to Rise

The healthcare industry is uniquely vulnerable to cyberattacks. Healthcare organizations store vast quantities of valuable data, yet many organizations do not have sufficiently robust defenses to keep those data secured. Security infrastructure is often found to be lacking and many organizations cannot afford or recruit the best cybersecurity staff. Data is being shared with a large number of third parties, increasing the risk of exposure and unauthorized disclosure of data.

Investment in cybersecurity has improved, yet 59% of healthcare organizations do not believe their cybersecurity budgets are sufficient to prevent data breaches. The same is true of vendors. 60% of healthcare industry business associates believe their organization has underinvested in cybersecurity defenses and cannot stop data breaches from occurring. Unless investment is increased, healthcare data breaches are likely to continue to occur with increasing frequency.

Healthcare Employee Negligence is Still a Major Cause for Concern

Cybercriminals may be using ever more sophisticated means to attack healthcare organizations, but in many cases it is negligence that exposes healthcare data. In the words of Dr. Larry Ponemon, founder and chairman of the Ponemon Institute, “Sloppy employee mistakes and unsecured devices—was a noted problem in the first years of this research and it continues.”

Healthcare organizations and business associates appear to be blaming each other for data breaches and sloppy security practices. 54% of business associates believe healthcare employees are negligent in the way they handle protected health information and 50% believe healthcare organizations are not investing enough in technologies to prevent data breaches. 51% of healthcare organizations believe that their partners and other third parties are not ensuring protected health information is protected and that their organization lacks oversight of vendor’s cybersecurity efforts.

What are the Biggest Data Security Concerns?

While cyberattacks are a major worry, the biggest security threat for healthcare organizations and their business associates is employee negligence. 69% of covered entities and 53% of business associates rated employee negligence as the main threat. Cyber attackers were the second biggest concern for healthcare organizations, followed by mobile device insecurity, public cloud services, malicious insiders, and BYOD.

For business associates, insecure public cloud services were rated second (46%), followed by cyberattacks, mobile device insecurity, malicious insiders, BYOD, and system failures.

As if the healthcare industry does not have enough threats to deal with, the past year has seen healthcare organizations having to deal with a new threat: Ransomware. Ransomware has become one of the main concerns for CISOs and CIOs.

44% of HIPAA-covered entities and 45% of business associates rate ransomware as one of the main cyber attack concerns. Only DDoS attacks were rated as being of more concern, with 48% of business associates and covered entities saying this was the main security concern as far as cyberattacks were concerned. Malware and phishing attacks were also rated as major worries.

The risk of cyberattacks has increased, yet many healthcare organizations and business associates do not appear to be overly concerned with checking for security vulnerabilities. Only 8% of healthcare organizations check for security vulnerabilities on a monthly or quarterly basis. Business associates are more vigilant in this regard, with 11% checking monthly and 14% checking every quarter.  41% of healthcare organizations and 33% of business associates perform an annual risk assessment, but 43% of healthcare organizations and 35% of business associates do not have a regular schedule for assessing for security vulnerabilities.

Lack of Accountability for Data Breaches Continues to be a Problem

Even with increased enforcement of HIPAA Rules by the HHS’ Office for Civil Rights, there is little accountability for breaches of patient health information according to Rick Kam, CIPP/US president and co-founder of ID Experts, the sponsor of the study. He said, “The lack of accountability is a big issue in the healthcare industry.” He went on to say, “This is about real people and the exposure of their sensitive information.”


Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.