Healthcare organizations see more than their share of data breaches. Because the healthcare industry handles sensitive and valuable data, including personal and financial information, as well as medical records – it is a frequent target for cybercriminals. The data can be used for identity theft, insurance fraud, and other types of criminal activity.
Additionally, cyber-attacks can also have severe consequences for patients, such as disrupting care, causing harm to patients or even costing lives. Cybercriminals looking for a high reward with minimal risk have and will continue to target this sector – and the proof is in the statistics.
An analysis of data breaches recorded on the Privacy Rights Clearinghouse database between 2015 and 2019 showed that 76.59% of all recorded data breaches were in the healthcare sector. This implies the healthcare sector recorded three times as many data breaches as the education, finance, retail, and government sectors combined.
Between 2009 and 2022, the Department of Health and Human Services’ Office for Civil Rights (OCR) reported that there were 5,150 healthcare data breaches of 500 or more records, exposing nearly 400 million healthcare records – 1.2x the population of the United States. In 2022 alone, there are on average 1.94 healthcare data breaches with over 500 records reported each day – double the amount compared to reported breaches in 2018.
The costs surrounding healthcare data breaches are staggering:
- The cost per record for healthcare data breaches is $408, three times higher than the cross-industry average of $148 per record.
- The average cost of a data breach for healthcare hit a new high of 10.10 million USD in 2022, compared to the global average cost of a data breach at 4.35 million USD. – IBM/Ponemon 2022
- Healthcare breach costs have been the most expensive industry for 12 years running, increasing by 41.6% since. – IBM/Ponemon 2022
- An estimated US $7 billion has been lost due to stolen PHI in the US
Data breaches can also create non-compliance issues involving HIPPA regulations, and penalties for these violations hit a record high in 2022, with 222 penalties imposed. The OCR issues an annual penalty structure of HIPPA violations, showing that the aftermath of data breaches could results in violations that last for years, which can result in multi-million-dollar fines.
Healthcare Data Breaches – The Main Culprits
Healthcare data breaches take place in many forms – malicious cyber-attacks, insider threats, third party breaches – all with the goal of financial gain. Verizon’s DBIR report states that in 2022, 61% of the cyber-attacks in healthcare came from external forms, so hacking/IT attacks are currently the top pattern for reported incidents.
Ransomware is the main type of hacking/IT event that threatens healthcare. Definitive Healthcare reported that, of the 693 healthcare breaches reported in 2022, over three quarters of the attacks – 78.5% – were caused by hacking and IT incidents, with ransomware as the primary culprit – a trend that has grown over the years.
The JAMA Health Forum study on the trends in ransomware attacks reveal the increased frequency and sophistication of ransomware attacks – and their implications for the quality and safety of patient care. Ransomware attacks on U.S. healthcare organizations between January 2016 – December 2021 totaled 374, exposing the PHI of nearly 42 million patients. Half of the reported ransomware attacks disrupted the delivery of health care, with common disruptions including electronic system downtime, cancellations of scheduled care, and ambulance diversion.
Ultimately, healthcare breaches can result in data theft, reputational and financial losses, and most importantly, threaten patient outcomes. What can healthcare organization do to mitigate data breaches?
Solutions to Protect Data Against Breaches
Employee training on cybersecurity, limiting access to sensitive information, monitoring networks for unusual activity and implementing an incident response plan are all good security measures to help keep data safe. These measures help to “protect the perimeter” of healthcare systems, but they cannot ensure that a network will not be breached.
Cyberthieves will continue to be diligent in finding ways to steal sensitive data. Healthcare security experts believe that encryption – implemented both at rest and in transit – is the best way to protect patient data in the event of a data breach.
There are multiple steps healthcare organizations can take to mitigate data breaches. The most effective step is to encrypt protected health information to render it unusable, unreadable, or indecipherable in the event of a ransomware attack. This will ensure data is not compromised and the attack will not have to be reported to the Office for Civil Rights. – The Hippa Journal
Bluefin’s healthcare payment and processing solutions devalue all data – whether payments, Protected Health Information (PHI) or Personally Identifiable Information (PII) accepted both at the point-of-sale (POS) and online – using a combination of encryption and tokenization. Our solutions ensure that patient data is worthless to hackers in the event of a breach or compromise.
Learn how to mitigate data breaches today.