Healthcare sector data breaches are taking place at an unprecedented level. The healthcare data breach figures for 2019 have yet to be drawn up, but so far 494 data breaches of more than 500 records have been made known to the HHS’ Office for Civil Rights and more than 41.11 million records were exposed, stolen, or impermissibly disclosed in 2019. That makes 2019 the worst year on record for healthcare data breaches and the second worst in terms of the number of healthcare records that have been breached.
The healthcare sector now accounts for around four out of every five data breaches and 2020 looks like it going to be another record-breaking year. The cost to the healthcare sector of these breaches is expected to come close to $4 billion during 2020.
The sad state of healthcare security was emphasised by a survey of healthcare security workers that was completed towards the end of 2019 by Black Book Market Research. The survey was sent to 2,876 security workers from 733 provider groups to spot cybersecurity gaps, vulnerabilities, and deficiencies in the healthcare sector.
The survey showed that over 93% of healthcare groups suffered a data breach since Q3, 2016. 57% of surveyed healthcare providers were hit by more than five breaches in that period. Even though there is a considerable risk of a data breach occurring, investment in cybersecurity is nowhere near the level it should be.
Doug Brown, founder of Black Book said: “It is becoming increasingly difficult for hospitals to find the dollars to invest in an area that does not produce revenue”. According to 90% of hospital representatives surveyed, IT security budgets have stayed at the same level since 2016.
The survey discovered that hospital systems have grown their cybersecurity budgets to around 6% of their IT spend but spending on cybersecurity by physician groups has dropped since 2018 and now stands at less than 1% of their IT budget.
When money is invested on cybersecurity, solutions are often bought blindly or with little vision or discernment. The survey indicated that between 2016 and 2018, 92% of data security investment decisions were made by the C-suite without any users or impacted department managers being involved in the investment decision.
Even with the threat of attack at such a high level, 92% of healthcare groups lack full time cybersecurity workers and only 21% of hospitals said they had a dedicated security executive. Only 6% of those respondents said that person was the Chief Information Security Officer (CISO) . Physician groups are much less likely to have a CISO appointed. Only 1.5% of physician groups with more than 10 clinicians said they had an out and out CISO.
More CISOs and cybersecurity workers are required but it is not clear where those individuals will come from due to a nationwide shortage of skilled cybersecurity workers. In the meantime, cybersecurity must be outsourced to managed service providers as a stop-gap measure.
Other key results of the survey include:
- 96% of IT professionals said threat actors are evolving quicker than medical enterprises
- More money is being invested in marketing to repair damaged reputations after a breach than is spent on addressing the consequences of data breaches.
- 35% of healthcare groups did not search for vulnerabilities before an attack
- 87% of healthcare groups have not had a cybersecurity drill with an incident response process.
- 40% of providers questioned do not conduct out measurable assessments of their cybersecurity status.
- 26% of hospital respondents and 93% of physician groups currently report they do not have an appropriate solution to instantly detect and respond to an organizational-level breach.