Criminal attacks on healthcare organizations have increased 125 percent in the past five years and now are the leading cause of data breaches, according to a new study from the Ponemon Institute.
At the same time, most healthcare organizations are not prepared for the rapidly changing world of cyberthreats, lacking resources and process to protect patient data, according to an announcement.
Small to mid-size organizations especially are vulnerable because they have limited security and privacy processes, personnel, technology, and budgets compared with their larger counterparts, the report notes.
Breaches are costing the healthcare industry $6 billion a year, and the average cost of breaches per organization is more than $2.1 million.
Other findings include:
- Ninety-one percent of covered entities have had a breach and 40 percent had five or more within the past two years. Among business associates (BAs), 59 percent have had a breach and 15 percent had five or more in the same time period
- Seventy-eight percent of healthcare organizations and 82 percent of BAs had a web-borne malware attack
- Half of the combined groups said they had little or no confidence in their ability to detect all patient data loss or theft
- Sixty-five percent of healthcare organizations and 87 percent of BAs had an electronic information security-based incident in the past two years and half the combined groups had paper-based incidents
- One-third of respondents lack an incident response process and the majority fail to perform a risk assessment for security incidents, despite the federal mandate to do so
Medical identity theft incidents rose more than 20 percent in fiscal year 2014 compared to 2013, Ponemon reported in February.
Separately, it reported that security professions across industries feel ill-prepared to defend against cybersecurity attacks. Fifty-seven percent of respondents cited resources/budget as the biggest impediment to a more secure organization, followed by inadequate expertise (56 percent).