This story was delivered to Business Insider Intelligence ” Digital Health Briefing ” subscribers. To learn more and subscribe, click here .
A flurry of data breaches disclosed in July raises concerns about the security standards of healthcare organizations.
Two weeks ago, a breach at LabCorp, one of the largest US clinical laboratories, potentially exposed millions of patient records.
Last week, Nebraska-based health system Boys Town National Research Hospital reported a hack that may have compromised data on more than 100,000 individuals,according to HealthITSecurity.
These attacks build on a series of US breaches in July that surmount to millions of exposed patient records, including social security numbers, medical diagnoses, and health insurance information.
Healthcare organizations have good reason to be concerned — the average cost of a data breach has climbed to $408 per lost or stolen patient record in 2018, up 7% from last year’s average and the highest among any industry sector, according to a new IBM study. And July’s not an anomaly — the number of individuals affected by healthcare data breaches at health insurance firms surged by more than 1,000% in the first five months of 2018.
Healthcare organizations can take immediate steps to shore up against breach threats:
- Strengthen internal security measures by investing in secure messaging platforms. This could help clamp down on internal threats, which account for 56% of all healthcare data breaches, according to Verizon.
- Establish C-suite leadership to advance incident preparedness. Currently, just 15% of organizations have a designated C-suite leader to manage enterprise-wide data security efforts, according to a December 2017 study. Without a designated cybersecurity leader, health systems are left unprepared after hacking incidents, which could prolong their recovery time.
Over the past five years, the world has seen a seemingly unending series of high-profile data breaches, defined as incidents in which unauthorized parties access and retrieve sensitive, secure, or private data.
Major incidents, like the 2013 Yahoo breach, which impacted all 3 million of the tech giant’s customers, and the more recent Equifax breach, which exposed the information of at least 143 million US adults, has kept this risk, and these threats, at the forefront for both businesses and consumers. And businesses have good reason to be concerned — of organizations breached, 22% lost customers, 29% lost revenue, and 23% lost business opportunities.
This threat isn’t going anywhere. Each of the past five years has seen, on average, 1,704 security incidents, impacting nearly 2 billion records. And hackers could be getting more efficient, using new technological tools to extract more data in fewer breach attempts. That’s making the security threat an industry-agnostic for any business holding sensitive data — at this point, virtually all companies — and therefore a necessity for firms to address proactively and prepare to react to.
The majority of breaches come from the outside, when a malicious actor is usually seeking access to records for financial gain, and tend to leverage malware or other software and hardware-related tools to access records. But they can come internally, as well as from accidents perpetrated by employees, like lost or stolen records or devices.
That means that firms need to have a broad-ranging plan in place, focusing on preventing breaches, detecting them quickly, and resolving and responding to them in the best possible way. That involves understanding protectable assets, ensuring compliance, and training employees, but also protecting data, investing in software to understand what normal and abnormal performance looks like, training employees, and building a response plan to mitigate as much damage as possible when the inevitable does occur.
Business Insider Intelligence , Business Insider’s premium research service, has put together a detailed report on the data breach threat, who and what companies need to protect themselves from, and how they can most effectively do so from a technological and organizational perspective.
Here are some key takeaways from the report:
- The breach threat isn’t going anywhere. The number of overall breaches isn’t consistent — it soared from 2013 to 2016, but ticked down slightly last year — but hackers might be becoming better at obtaining more records with less work, which magnifies risk.
- The majority of breaches come from the outside, and leverage software and hardware attacks, like malware, web app attacks, point-of-service (POS) intrusion, and card skimmers.
- Firms need to build a strong front door to prevent as many breaches as possible, but they also need to develop institutional knowledge to detect a breach quickly, and plan for how to resolve and respond to it in order to limit damage — both financial and subjective — as effectively as possible.
In full, the report:
- Explains the scope of the breach threat, by industry and year, and identifies the top attacks.
- Identifies leading perpetrators and causes of breaches.
- Addresses strategies to cope with the threat in three key areas: prevention, detection, and resolution and response.
- Issues recommendations from both a technological and organizational perspective in each of these categories so that companies can avoid the fallout that a data breach can bring.