A Third Of U.S. Healthcare Organizations Experienced Data Breaches in 2018

Data breaches and security of information continue to pose headaches for the U.S. healthcare sector. A new report revealed that at least one in three healthcare organizations experienced a data breach in 2018.

Furthermore, the “2019 Thales Data Threat Report – Healthcare Edition” revealed that 70 percent of healthcare organizations surveyed had experienced a data breach at some point. The survey, which was conducted by Thales in conjunction with research analysis firm, IDC, said no other industry experienced as many breaches as healthcare.

With more organizations storing patient data and other sensitive information on cloud-based servers, the report said it was increasingly important for the industry to put new security strategies in place because healthcare data is highly targeted due to the value it has for cybercriminals.

Low levels of encryption heighten risk

Tina Stewart, vice-president market strategy for cloud protection and licensing activity at Thales, said their report showed that sensitive patient information was at risk in the face of rapid cloud adoption. Low levels of encryption rates in the healthcare industry also heightened the risk.

“Data security is increasingly complex, particularly for healthcare organizations immersed in cloud and digital transformation initiatives. The focus should be to encrypt everything in the cloud and keep control of the data by centrally managing the keys to the encrypted data,” Stewart said.

This was reiterated by IDC, which gave some advice to the healthcare industry. It said the digital transformation of the healthcare industry necessitated new data security strategies. “Even selecting a top-tier cloud provider doesn’t remove the burden of an organization doing its part to provide data security, and this starts with encryption, authentication, and access management,” IDC said.

To illustrate the risk that the sector faced, the report pointed out that while 100 percent of healthcare organizations – more than any other industry– were collecting, storing and sharing sensitive data within digital transformation technologies, 38 percent or less were encrypting this information.

In the face of increasing threats, you would expect healthcare organizations to increase their security systems, but the Thales report reveals that the opposite is true, because IT security spending “is tapering off, leaving limited resources for safeguarding new environments in addition to legacy systems.”

Healthcare Organizations a barrier

The report further says healthcare providers continue to move to multi-cloud environments as part of their digital transformation efforts with 80 percent of respondents using sensitive data in the cloud. However, Thales and IDC said those they surveyed said multi-cloud environments made the job of protecting data challenging, with 46 percent rating complexity as the top barrier to deploying data security.

Another worrisome trend the survey reported on was that data security compliance failures were on the rise. 

It said at least one in four of respondents failed data security compliance audits in the past year. 

“In particular, healthcare providers signaled concerns meeting compliance mandates for key use cases such as cloud, big data and containers, and 62 percent plan to use encryption and tokenization to address these requirements,” the report said.

The IDC made four recommendations for the healthcare industry. It recommended that the industry focus on all threat vectors and invest in modern, hybrid and multi-cloud-based data security solutions that scale to modern architectures. It also recommended that the industry prioritize compliance issues and adopt new data security strategies, including encryption and access management.

The report also urged IT professionals to ensure encryption, management of keys and access management, including strong or two-factor authentication, as paramount to healthcare organizations.

The Thales and IDC report is in keeping with one by Kaspersky Lab, which reported late last year that a third of healthcare workers say their companies have been targeted by cybercriminals and have been victim to ransomware more than once. The report raised concern that the healthcare industry was not learning from previous security breaches.

Not all gloom and doom

In spite of concerns that the healthcare industry was not learning from past breaches, Healthcare Dive reported that a June 2019 Integris Software survey found that 70 percent of mid- to large-size healthcare companies in the U.S. were confident in their ability to manage sensitive data, but half updated their inventory of such data once a year or less.

The 2019 HIMSS U.S. Leadership and Workforce Survey report also found that cybersecurity, privacy and security topped a list of priorities for healthcare workers and vendor organizations, an indication that attitudes may be changing, albeit slowly.

A different survey by Bitglass said there were 290 data breaches in the healthcare industry in 2018, a slight fall from 294 in 2017 and 324 the previous year, showing an improvement in the secure storage of information. However, there were more records breached — 11.5 million in 2018 compared from 4.7 million in 2017.

U.S. healthcare IT spending is projected to hit $8.70 billion by 2023.