Experts have sounded the alarm for months on the growing number of cyber attacks and data breaches at healthcare organizations. New research shows that business associates are also under siege.
In a recent study, more than half of business associates (59%) reported a data breach in the last two years that involved the loss or theft of patient data. More than a quarter (29%) experienced two breaches or more.
Those stats come from Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data by the Ponemon Institute. We dug into the report to find more about business associates and how they are handling the fight.
IT providers, this means you
A business associate (BA) is a specifically defined term in HIPAA. To paraphrase, it refers to any third party that handles patient data on behalf of a healthcare organization.
Many IT providers are considered business associates of their healthcare clients under HIPAA. Twenty-one percent of the associates surveyed by Ponemon were IT or cloud service providers.
Top target: billing and insurance data
Your medical information is worth more than 10-times your credit card number on the black market, according to Reuters. Criminals can use the data – such as your name, birth date, policy number, and billing information – for insurance fraud and other scams.
This is one reason why billing and insurance information is the most-breached type of data at BAs.
Healthcare organizations also see a significant number of breaches affecting billing and insurance information, but their medical records are breached more often.
What happens when an attacker breaches one of these assets? The associated costs can be severe. The average for a BA breach is more than $1 million, according to the report.
Also: the nation’s largest health insurer, Anthem, recently had a breach on an insurance database that exposed 80 million people. That’s 25% of the U.S. population.
Data breach > security incident
A quick note: like many studies, this report makes a distinction between security incidents and data breaches:
- Security incident – a violation of an organization’s security or privacy policies involving protected information such as social security numbers or confidential medical information.
- Data breach – a security incident that meets specific legal definitions per applicable breach laws. Data breaches require notification to the victims and may result in regulatory investigation, corrective actions, and fines
Criminal attacks are rising in healthcare
The shocking value of health data is helping to drive a rise in criminal attacks on healthcare organizations.
Although lost or stolen devices remain a top driver of security incidents for business associates, you can also see that 90% were hit by the targeted tactic known as spear phishing.
Eighty percent of BAs reported malware attacks and nearly half were hit by advanced persistent threats. Clearly there is more behind the data than a few missing laptops.
Top cause of data breach: employee mistakes
When looking at data breaches, employee mistakes are a bigger problem at business associates than criminal attacks or theft.
However, as mentioned above, criminal attacks are rising fast. They are now the number-one cause of breach at healthcare organizations, jumping 125% over the past five years.
They may not be a top cause of BA data breaches yet, but the report’s authors emphasize that the healthcare threat environment is changing and criminal attacks are mounting.
Top way to detect a breach: employees
Employees are the most common means of detecting a data breach at BAs, although roughly half of BAs have also had breaches discovered in an audit.
These results are reversed in healthcare organizations. More than two-thirds discovered a breach as part of an assessment and only 44% discovered them via employees.
Biggest perceived threat: employees
What keeps business associates up at night? Mostly the fear of employee negligence, which is not surprising since it’s the number-one cause of breach.
The report’s authors note that the number of criminal based security incidents is growing, with malware attacks causing incidents at 82% of BAs. Despite the changing environment, only 35% of BAs are concerned about cyber attackers – though that may change in the future.