A recent survey conducted by KMPG has revealed that 47% of healthcare organizations have experienced a HIPAA data breach in the past 24 months.
The last time the KPMG Cyber Healthcare and Life Sciences Survey was conducted in 2015, 37% of respondents confirmed they had experienced a data breach over the same time period.
70% of respondents said they had experienced at least one security breach due to an unplugged vulnerability being exploited by a malicious actor. 54% said they had experienced a malware incident, while 36% said at least one of their employees had responded to a phishing email resulting in the exposure of sensitive data.
Third-party companies or devices were implicated in breaches at 26% of organizations while one fifth of respondents said a breach had been caused by an insider.
Ransomware attacks have become much more common over the past two years. 32% of respondents said they had experienced at least one ransomware attack. Four out of ten respondents who were attacked with ransomware said they paid the ransom to unlock the encryption and regain access to their data.
While the number of data breaches has increased significantly over the past 2 years, organizations at least feel more confident about their ability to respond to HIPAA data breaches and mitigate risk. In 2015, only 16% of organizations said they felt prepared to deal with a HIPAA breach. This year 35% believed they were well prepared.
More than 100 InfoSec executives took part in the study, all of whom were working at healthcare providers or health plans with annual revenues in excess of $500 million.
Worryingly, this year’s survey showed a decrease in organizations that believe cybersecurity is a board matter, falling from 87% in 2015 to 79% this year.
KPMG Healthcare Advisory Leader Dion Sheidy said, “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated.”
There was also a fall in the percentage of companies that had invested in cybersecurity. In 2015, 88% of firms said they had made investments in security in the past 12 months, while this year the percentage has fallen to 66%. However, 76% of respondents said they were planning on investing in technology to improve their cybersecurity posture in the next 12 months and 83% were making improvements to their policies and procedures.
Technology is important, but so is skilled staff, yet only 15% of respondents believed higher quality staff – or an increase in staff numbers – was important to improve security posture. Only 41% of companies are planning on increasing bodies in their security teams over the next 12 months.
“A solid cyber security program needs people, processes and technology and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach,” said KPMG Cyber Security Group in Healthcare & Life Sciences Leader Michael Eber.