2019 is set to be a busy year for IT security professionals, especially those in healthcare. We dug into the most recent research on the healthcare cybersecurity threat landscape to see if we could create a “big picture” view of what healthcare providers and other entities covered by HIPAA/HITECH regulations will be facing.
In this post, we’ll break the scene down into two separate sections. First, we will look at the current threat landscape and how well covered entities are responding. Second, we’ll look at what happens after a breach, including the cost of remediation in healthcare and the OCR’s aggressive stance on non-compliance.
The Threats are Increasing; Healthcare Entities are Slow to Respond
The Ponemon Institute produces one of the best reports on the state of the cybersecurity threat landscape in their semi-annual Cost of a Data Breach study. In the latest report, released in July of 2018, the average global probability of a material breach in the next 24 months had risen a couple of percentage points to 27.9%.
Ponemon defines a material breach as a breach that involves a minimum of 1,000 lost or stolen records containing personal information. So, these breaches are not insignificant.
Also, keep in mind that this percentage represents successful breaches, not attempts. In Wombat’s 2019 State of the Phish Report, 83% of respondents said they saw phishing attempts on their organization in 2018. As if that isn’t disheartening enough, Wombat also ran simulations, sending phishing emails to their client organizations. In healthcare entities, 13% of recipients clicked on the links, and 6% submitted the requested data.
But phishing and other cyberattacks aren’t the only threat healthcare entities face. Only 48% of the breaches in the Ponemon study were the result of criminal or malicious intent. Human error caused 27%, and system glitches another 25%. If you look through the OCR’s settlement files, you’ll see numerous examples of breaches that fall into the latter two categories.
What’s even more concerning is the time it took for healthcare entities to discover and contain these breaches. Ponemon breaks this down into two metrics:
Mean Time to Identify (MTTI) – The average time it took study respondents to detect that an incident had occurred.
Mean Time to Contain (MTTC) – The average time it took study respondents to resolve a situation and ultimately restore service.
At 255 days, the healthcare industry was second highest in MTTI. The average across industries was 197 days. MTTC was higher than any other industries at 103 days as compared to the average of 69 days. Adding healthcare’s MTTI and MTTC together, healthcare entities in the study were exposing confidential records for almost an entire year.
The High Cost of Remediation
Now, let’s turn to remediation, i.e., what happens after a breach is contained. Per capita costs were by far the highest in healthcare: $408 compared to $206 for the next highest industry (financial services). Ponemon defines per capita cost as the total cost of data breach divided by the size of the data breach (the number of lost or stolen records).
Fines fall into this category, and the OCR is aggressively pursuing complaints. In 2018, fines totaled $28.7 million, up 22% from 2017. The settlement with Anthem, Inc. alone was $16 million – three times the previous record settlement of $5.5 million in 2016.
Keep in mind, however, that the OCR only settles a handful of cases a year. (10 in 2018.) It’s unlikely that these fines skewed the results in Ponemon’s study. The majority of these costs are probably from more mundane activities such as help desk staffing, communications, investigations, IT remediation, legal staff, product discounts, and other forms of compensation such as identity protection services.
Lost revenues are certainly a component of the cost of remediation, especially in healthcare where repeat business is the norm. (People tend to stick with healthcare providers they know and trust, i.e., “their doctor.”) Abnormal churn is customer turnover above what an organization would normally experience. The Ponemon study found the abnormal churn rate to be 3.6% for US entities as compared to a global average of 3.4%, with five industries seeing higher than average churn: Healthcare 6.7%; financial services 6.1%, pharma 5.5%, services 5.2%, tech 4.6%.
In addition, data from a study published in the American Journal of Managed Care supports the healthcare industry’s lost revenue concerns. This study found that hospitals increased their advertising spend by 64% on average in the year following a data breach and by 79% in the two years following a breach.
The Perfect Storm
Meteorologists describe the perfect storm as one resulting from a combination of factors that come together to create an abnormally damaging weather event. That’s pretty much what we see happening in the healthcare industry. In this case, the factors include:
1/ Cyberthreats continue to rise
2/ Healthcare providers are slow to respond
3/ Costs of remediation keep going up
You might add on to that mix, the high cost of preparedness. IT security professionals are some of the hardest to recruit and retain. A study conducted by (ISC)², the world’s largest membership association of certified cybersecurity professionals, found that 84% of cybersecurity professionals were open to new employment opportunities in 2018, and 46% were contacted weekly by recruiters, regardless of whether they were actively looking for a job.
Here are some additional resources that may help you prepare for the coming storm:
White paper: HIPAA Managed Hosting
Case Study: ePreop – Managed Services and HIPAA Compliance on Microsoft Azure
Case Study: TCS Healthcare Technologies – A HIPAA Case Study
And, as always, if you would like to talk to one of our healthcare cybersecurity advisors, we’re here for you.