HIPAA Security: Most business associates suffer data breaches

HIPAAExperts have sounded the alarm for months on the growing number of cyber attacks and data breaches at healthcare organizations. New research shows that business associates are also under siege.

In a recent study, more than half of business associates (59%) reported a data breach in the last two years that involved the loss or theft of patient data. More than a quarter (29%) experienced two breaches or more.

Those stats come from Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data by the Ponemon Institute. We dug into the report to find more about business associates and how they are handling the fight.

IT providers, this means you

A business associate (BA) is a specifically defined term in HIPAA. To paraphrase, it refers to any third party that handles patient data on behalf of a healthcare organization.

Many IT providers are considered business associates of their healthcare clients under HIPAA. Twenty-one percent of the associates surveyed by Ponemon were IT or cloud service providers.

Top target: billing and insurance data

Your medical information is worth more than 10-times your credit card number on the black market, according to Reuters. Criminals can use the data – such as your name, birth date, policy number, and billing information – for insurance fraud and other scams.

This is one reason why billing and insurance information is the most-breached type of data at BAs.

Chart - Patient data successfully breached

Healthcare organizations also see a significant number of breaches affecting billing and insurance information, but their medical records are breached more often.

What happens when an attacker breaches one of these assets? The associated costs can be severe. The average for a BA breach is more than $1 million, according to the report.

Also: the nation’s largest health insurer, Anthem, recently had a breach on an insurance database that exposed 80 million people. That’s 25% of the U.S. population.

Data breach > security incident

A quick note: like many studies, this report makes a distinction between security incidents and data breaches:

  • Security incident - a violation of an organization’s security or privacy policies involving protected information such as social security numbers or confidential medical information.
  • Data breach – a security incident that meets specific legal definitions per applicable breach laws. Data breaches require notification to the victims and may result in regulatory investigation, corrective actions, and fines

Criminal attacks are rising in healthcare

The shocking value of health data is helping to drive a rise in criminal attacks on healthcare organizations.

Although lost or stolen devices remain a top driver of security incidents for business associates, you can also see that 90% were hit by the targeted tactic known as spear phishing.

Chart - Security incidents business associates experienced

Eighty percent of BAs reported malware attacks and nearly half were hit by advanced persistent threats. Clearly there is more behind the data than a few missing laptops.

Top cause of data breach: employee mistakes

When looking at data breaches, employee mistakes are a bigger problem at business associates than criminal attacks or theft.

Chart - Root cause of business associate breaches

However, as mentioned above, criminal attacks are rising fast. They are now the number-one cause of breach at healthcare organizations, jumping 125% over the past five years.

They may not be a top cause of BA data breaches yet, but the report’s authors emphasize that the healthcare threat environment is changing and criminal attacks are mounting.

Top way to detect a breach: employees

Employees are the most common means of detecting a data breach at BAs, although roughly half of BAs have also had breaches discovered in an audit.

Chart - how business associates detect a breach

These results are reversed in healthcare organizations. More than two-thirds discovered a breach as part of an assessment and only 44% discovered them via employees.

Biggest perceived threat: employees

What keeps business associates up at night? Mostly the fear of employee negligence, which is not surprising since it's the number-one cause of breach.

Chart - Security threats worry business associates

The report’s authors note that the number of criminal based security incidents is growing, with malware attacks causing incidents at 82% of BAs. Despite the changing environment, only 35% of BAs are concerned about cyber attackers – though that may change in the future.

Related resources

HIPAA Hazards: Avoid the business associate trap

HIPAA Compliance for IT Providers: Top 5 questions

HIPAA 2015: Expect more attacks, enforcement, and lawsuits

Healthcare IT Security: Compliance nightmare on horizon

Written by Calyptix

 - May 18, 2015

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram