Dive Brief:
- The number of reported healthcare breaches hit a three-year low of 290 in 2018, down from 294 in 2017 and 328 the previous year, according to a new report from cybersecurity firm Bitglass.
- Tempering that piece of good news, however, was a more than twofold increase in number of records breached between 2017 and 2018 — from 4.7 million to 11.5 million.
- At 45.9%, hacking and IT incidents accounted for the most breaches, followed by unauthorized access and disclosure (35.9%), loss or theft (15.5%) and other (2.8%).
Dive Insight:
Breaches cost healthcare organizations more than just lost revenue from service interruptions. Ransomware attacks exact huge sums to unlock encrypted systems, and HIPAA fines for compromised records can be hefty. Potential damage to brand image can also discourage new customers and send current ones in search of new providers or health plans.
Despite some progress, EHR vulnerabilities and underfunding for cybersecurity continue to put many health systems and other organizations at risk, oftentimes from their own employees.
Cybersecurity, privacy and security led healthcare leaders' concerns in a recent HIMSS survey, rating 5.69 on a seven-point scale with providers and 5.38 with vendors. The high level of shared concern among both groups could help to advance security efforts, the report noted.
The Bitglass findings echoes a recent Protenus report, which showed a similar trend of fewer incidents, but more records affected. That report counted 503 incidents affecting nearly 15.1 million records in 2018, versus 477 breaches and 5.6 million records the prior year.
In the Bitglass report, hacking and IT incidents not only led overall breach causes but also impacted a disproportionate share of people — 7.72 million, or 67% of all records compromised last year. Unauthorized access and disclosures, the cause of more than a third of breaches, impacted 23.9% of exposed records.
Meanwhile, the total cost of breaches climbed to $4.7 billion in 2018, up from $1.8 billion a year earlier. The average cost per breached report grew from $380 to $408.
On average, organizations took 255 days to identify breaches and 103 days to bring them under control — the second longest and longest, respectively, of any industry, according to the report.
Geographically, the incidence of breaches shows a strong correlation with state population. California and Texas had the most breaches in 2018, with 25 and 24, respectively. Double-digit numbers of breaches were also seen in Illinois (18), Florida (16), Massachusetts (15), Missouri (13), New York (12), Pennsylvania (10) and Iowa (10).
Six states had no reported breaches last year: Vermont, New Hampshire, Delaware, West Virginia, South Carolina and South Dakota.
"Healthcare firms have made progress in bolstering their security and reducing the number of breaches over the last few years," Bitglas CMO Rich Campagna said in a statement. "However, the growth in hacking and IT incidents does deserve special attention. As such, healthcare organizations must employ the appropriate technologies and cybersecurity best practices if they want to secure the patient data within their systems."