4 Key Findings from the SCCE and HCCA Data Breach Report
Contrary to popular belief, hackers or “hactivists” are not the leading cause of data breaches in healthcare—not even the second, according to a recent survey by the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA). Just 17 percent of compliance professionals stated that a hacker was responsible for a data breach at their healthcare organization. Respondents reported lost devices or misplaced paper files were the two leading causes of data breaches (20% and 45%, respectively).
In spite of the heightened awareness and concern about cybersecurity threats among the healthcare industry, very little has changed when it comes to both managing the issue and the number of reported incidents. In fact, this study reveals the number of reported incidents has actually gone down since recent years.
As you review your healthcare organization’s compliance initiatives for 2017, here are a few things you should consider from SCCE’s and HCCA’s latest data breach report.
1. The number of breaches has declined.
As stated above, the number of respondents who reported breaches has decreased since 2012. At that time, 32 percent reported no incidents, which is six percentage points less than the current survey (38%).
However, despite the lower reported incident rate, 90 percent of healthcare organizations suffered a data breach in the past two years, a new Ponemon study states. Moreover, estimates based on Ponemon’s study suggest that breaches could be costing the healthcare industry $6.2 billion. Other research also shows the estimated cost of a major healthcare breach is $200 per patient record—which includes post-breach costs such as HIPAA fines and lost business due to reputational damage.
2. Industry and company size play a factor.
Although cyberattacks in the healthcare industry are increasing, the data breach report suggests governmental institutions are the most at-risk for cyberattacks (68%), compared to for profit, publicly traded companies (65%); not for profit (63%); and healthcare (59%). Similarly, a company’s size also plays a critical role. While 51 percent of organizations with 1,000 employees or less reported a breach, 81 percent of those with 100,000 or more employees had been breached.
3. Employees are the #1 source of reporting an incident.
Though it may seem surprising, survey respondents say employees were the first to report a cybersecurity threat. This makes sense given that lost devices and misplaced files were the root cause of data breaches. Only five percent of respondents reported that a breach was discovered through an audit and 10 percent of incidents were reported by IT.
4. Compliance and ethics departments usually drive remediation efforts after an attack.
If hacking incidents increase, the role of compliance may shift. So as long as internal human errors are the primary cause of data incidents, compliance departments are capable in taking the lead in efforts to prevent, locate and fix issues and threats to their database system. However, if the balance shifts toward external threats such as hackers, IT will need to take the initiative and assume a more active role.
Unfortunately, cyberattacks and data breaches are now a part of our daily lives. As long as it remains profitable for hackers to carry out these attacks on healthcare organizations, data breaches will continue. What precautions are you employing to prevent your organization from being a victim of these cyber crimes? Please share; we’d love to hear from you!