Globally, healthcare was racked with more cybersecurity breaches than any other industry in 2018, accounting for 25% of 750 reported incidents, per law firm BakerHostetler’s latest report.
Hackers have put health records in their crosshairs: Health information was the second most at-risk type of data in cybersecurity threats. This trend was particularly evident in the US, where health firms suffered a record 365 data breaches in 2018, up from 2017’s high of 358.
Despite healthcare’s mounting cybersecurity threat, the industry’s security measures haven’t kept pace — painting a gloomy picture for 2019.
Here’s what it means: US health organizations aren’t bearing down on cybersecurity efforts — and they’re facing the costly consequences.
Health systems and hospitals are shirking industry cybersecurity standards. For example, conformance to HIPAA security rules fell from 74% in 2017 to 72% in 2018, according to a 2019 report from cybersecurity consulting firm Cynergistek.
The repercussions are costly: When breaches expose sensitive information, HIPAA privacy rules are violated — and health systems have to pay up. The US government doled out a new high of $26 million in HIPAA penalties in 2018. Moreover, health firms lose nearly 7% of their customers following a data breach — the highest of any industry.
The bigger picture: We expect another uptick in US health breaches in 2019 as counterefforts stagnate.
- Cybersecurity is no longer US health firms’ top priority. Privacy and security toppled to health firms’ third-highest priority in 2018 — down from its first in 2017— despite the intensifying risk of attack. Given that conformance to HIPAA standards dipped in 2018 even while cybersecurity was the industry’s top priority, it’s unlikely that organizations will revamp countermeasures enough to move the needle on cybersecurity in 2019.
- Health firms have indicated that they’re reluctant to make security measures an investment priority. Leaders at US health firms say cybersecurity is underfunded primarily because the sophistication of cyberattacks increases at a faster rate than prevention capabilities, there are too many competing priorities, and the cost of countermeasures is too high. Moreover, health firms have called for a change to policy that would make HIPAA-compliant health firms exempt from the hefty government breach penalties, arguing that organizations that expect to be penalized regardless of whether their countermeasures are up to snuff may underinvest in security. If dollars allocated to cybersecurity can’t keep pace with the security threat, we’ll likely see a greater volume of breaches.
Interested in getting the full story? Here are two ways to get access:
1. Sign up for the Digital Health Briefing to get it delivered to your inbox 6x a week. >> Get Started
2. Subscribe to a Premium pass to Business Insider Intelligence and gain immediate access to the Digital Health Briefing, plus more than 250 other expertly researched reports. As an added bonus, you’ll also gain access to all future reports and daily newsletters to ensure you stay ahead of the curve and benefit personally and professionally. >> Learn More Now