Ponemon: Poor state of healthcare cybersecurity causing finger pointing

Criminal attacks continue to be the leading cause of data breaches in healthcare, with ransomware the latest threat, according to a new privacy and security survey conducted by the Ponemon Institute.

The study estimates the cost of breaches for the healthcare industry to be $6.2 billion, with the average cost to an individual organization at $2.2 million. For business associates the cost is more than $1 million. Nearly 90 percent of responding organizations said they experienced a data breach in the past two years, and 45 percent had more than five, though many of those were small incidents.

Ransomware, malware, and denial-of-service (DOS) attacks are the top cyberthreats that healthcare organizations face, the report notes, though they're also concerned about employee negligence, mobile device insecurity and use of public cloud services.

At the same time, organizations don't feel adequately prepared to deal with breaches.

FierceHealthIT spoke with Larry Ponemon, chairman and founder of the Ponemon Institute, and Rick Kam, president and cofounder of ID Experts, which sponsored the report, about the implications of the survey.

FierceHealthIT: These results sounds like what we've been hearing over and over. Is there anything new or surprising?

Kam (pictured right): It's more of the same. Last year criminal attacks were on the rise. Healthcare data has high value. The thing I find surprising is that Larry has been doing this study for six years now, and we've got the same problems cropping up. Why is that?

One of the nuances that came out of this study is that it seems there's some finger-pointing on among players in the healthcare ecosystem. Healthcare entities are pointing fingers at business associates and business associates are doing the same thing back to covered entities.

In my mind, it boils down to the issue of accountability. Someone has to take responsibility to make sure risk assessments are done and there has to be follow-through on the appropriate investments to make sure data is secure. Organizations are making investments, but they seem not to be making them in a way that's reducing the problem. So there's a problem somewhere.

FierceHealthIT: Many are of the mindset that protecting data in healthcare is more difficult than for other industries, such as financial services. Do you believe this is true?

Kam: There could be some aspects, such as the number of players in the ecosystem and the range of size--from single physicians to massive healthcare systems. But the same thing exists in financial services, from mom-and-pop stores to large insurance companies.

One of the most effective pieces of legislation I've seen go into effect was Sarbanes-Oxley, in which financial institutions were held accountable for accurate financial reporting. One of the most effective aspects was that the CFO or other executive had to sign off on the validity of the plan. Healthcare has a wonderful foundation with HIPAA and HITECH; there's a lot of guidance on what to do. If the CFO or doctor had to sign off that he'd reviewed the plan to ensure it has a minimum level of security--if they'd put a named person responsible for protecting the data--I think we'd have a different result today.

FierceHealthIT: What did you find most alarming?

Larry Ponemon (pictured left): Over time, you'd expect things to get better, but it's just the status quo every year. Very small changes. With the mega-hype over some of these healthcare breaches, organizations are starting to say, 'Are we doing enough to ensure that the data we have is secure?' There's a perception or attitude that might be changing, but the actions of these organizations are pretty much constant over time.

If you looked at our report six years ago, the big problem was careless or negligent employees who were responsible for data leakage or data loss. That could still be true, but clearly the No. 1 issue today is criminal acts, which could be a cyberattack or malicious insider.

For a lot of organizations, despite all the talk about data breaches, there's still a lack of accountability. The organization doesn't have any appropriate governance infrastructure, so no one has the responsibility, or they call it a shared responsibility. The big problem wouldn't be the relationships internally, but third party or business associates that are handling data and might have a different orientation to security. There are more of these issues, yet the industry doesn't seem to have responded in a significant way.

In our study, we do have a few large players, but we also have regional and local hospitals and so forth, and it's possible the results we get aren't what we'd get if we focused on big, monstrous organizations. But this is the state of healthcare today. They want to treat patients and cure disease, but they're operating in a way that could be very insecure.

FierceHealthIT: Does government need to do more to light a fire under the healthcare industry about security?

Ponemon: Government definitely has a very important role to play. Obviously, there's a move to the cloud, and a lot of technological changes that make it harder to achieve a reasonable level of compliance with privacy and security standards. But the way the government gets involved is like a slow-moving train. By the time they issue a guideline, we might be operating in a very different place.

There's a very fast pace around IT and cybercrime, so that would be my main concern about having too much government intervention.

Editor's Note: This interview has been edited for clarity and length.