Healthcare Organizations’ Experience Regarding Data Breaches in 2017 According to the Ponemon Institute Survey


Ponemon Institute conducted a survey sponsored by Merlin International which revealed that 62% of healthcare organizations experienced data breaches in the past year resulting to data loss. The survey involved the participation of 627 leaders from hospitals and payer organizations. About 67% of the survey participants were from hospitals that have 100-500 beds and about 10,000 to 100,000 networked devices. They were asked about their experience of data breaches in their organization in the past half year.

In 2017, the healthcare industry saw the exposure or theft of over 5 million health records. Next to the business sector, the healthcare industry was a favorite target of cybercriminals. For 4 straight years, the healthcare industry ranks the second industry most affected by data breaches. And it seems that cyberattacks will not stop or slow down in 2018.

Despite the high probability of facing cyberattacks, 51% of the surveyed healthcare organizations do not have any incident response program in place. This unpreparedness for cyberattacks will slow down system recovery. Ponemon Institute studied the cost of a data breach and found that a quick response to a data breach reduces the resulting harm to breach victims, which in turn lowers the cost of mitigating a cyberattack. The approximate cost of mitigating a cyberattack is $4 million according to the survey respondents.

The respondents were also asked about the types of attack that caused serious concern to their organizations. The top concern by 64% and 63% of respondents were internal threats and external threats, respectively.  According to the respondents, the main perceived targets of hackers are the following:

  • Electronic medical records – 77%
  • Patient billing information – 56%
  • Login credentials – 54%
  • Other authentication credentials – 49%
  • Research information – 45%

Attackers used different methods to access networks and healthcare data. The main attack methods according to the percentage of survey respondents are the following:

  • Exploitation of software and operating system vulnerabilities – 71%
  • Use of malware – 69%
  • Ransomware attacks – 37%

One other security concern in many healthcare organizations is that of medical devices. Most of the healthcare organizations do not include medical devices in their overall cybersecurity strategy. About 1/3 of the respondents affirm the fact that organizations do not have plans of including medical devices in their cybersecurity strategies.

The HHS’ Office for Civil Rights is reminding healthcare organizations to work on the cybersecurity awareness of employees. Ongoing employee training on security awareness must be provided. Cofense can help provide the training and phishing simulations to prepare employees for phishing attacks. The problem is that many organizations do not want to heed OCR’s advice. Hence, cyberattacks still continue to threaten healthcare organizations and consumers.