Experts have sounded the alarm for months on the growing number of cyber attacks and data breaches at healthcare organizations. New research shows that business associates are also under siege.
In a recent study, more than half of business associates (59%) reported a data breach in the last two years that involved the loss or theft of patient data. More than a quarter (29%) experienced two breaches or more.
Those stats come from Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data by the Ponemon Institute. We dug into the report to find more about business associates and how they are handling the fight.
A business associate (BA) is a specifically defined term in HIPAA. To paraphrase, it refers to any third party that handles patient data on behalf of a healthcare organization.
Many IT providers are considered business associates of their healthcare clients under HIPAA. Twenty-one percent of the associates surveyed by Ponemon were IT or cloud service providers.
Your medical information is worth more than 10-times your credit card number on the black market, according to Reuters. Criminals can use the data – such as your name, birth date, policy number, and billing information – for insurance fraud and other scams.
This is one reason why billing and insurance information is the most-breached type of data at BAs.
Healthcare organizations also see a significant number of breaches affecting billing and insurance information, but their medical records are breached more often.
What happens when an attacker breaches one of these assets? The associated costs can be severe. The average for a BA breach is more than $1 million, according to the report.
Also: the nation’s largest health insurer, Anthem, recently had a breach on an insurance database that exposed 80 million people. That’s 25% of the U.S. population.
A quick note: like many studies, this report makes a distinction between security incidents and data breaches:
The shocking value of health data is helping to drive a rise in criminal attacks on healthcare organizations.
Although lost or stolen devices remain a top driver of security incidents for business associates, you can also see that 90% were hit by the targeted tactic known as spear phishing.
Eighty percent of BAs reported malware attacks and nearly half were hit by advanced persistent threats. Clearly there is more behind the data than a few missing laptops.
When looking at data breaches, employee mistakes are a bigger problem at business associates than criminal attacks or theft.
However, as mentioned above, criminal attacks are rising fast. They are now the number-one cause of breach at healthcare organizations, jumping 125% over the past five years.
They may not be a top cause of BA data breaches yet, but the report’s authors emphasize that the healthcare threat environment is changing and criminal attacks are mounting.
Employees are the most common means of detecting a data breach at BAs, although roughly half of BAs have also had breaches discovered in an audit.
These results are reversed in healthcare organizations. More than two-thirds discovered a breach as part of an assessment and only 44% discovered them via employees.
What keeps business associates up at night? Mostly the fear of employee negligence, which is not surprising since it's the number-one cause of breach.
The report’s authors note that the number of criminal based security incidents is growing, with malware attacks causing incidents at 82% of BAs. Despite the changing environment, only 35% of BAs are concerned about cyber attackers – though that may change in the future.
Related resources
HIPAA Hazards: Avoid the business associate trap
HIPAA Compliance for IT Providers: Top 5 questions