Healthcare industry out in front on data breaches
Two recent reports suggest that the healthcare industry suffers more data breaches than other industries, and that those data breaches tend to be more costly.
The Office of the Information Commissioner (OAIC) recently released its quarterly report on data breaches notified under the Privacy Act 1988. The report showed that healthcare is Australia’s leading sector for notifiable personal data breaches.
More than 20% of the 242 data breaches reported to OAIC in the quarter ending 30 June were suffered by health service providers. No other industry sector accounted for more than 15% of breaches.
The most common cause of breaches occurring in the healthcare industry was human error. 29 of the 49 breaches reported were attributable to human error and 20 to malicious or criminal attack. Interestingly, the healthcare industry was the only sector for which human error caused a majority of notifiable breaches – in all other industries, malicious or criminal attack was the leading cause.
The report also offers a breakdown of the types of human error which caused the data breaches in the healthcare industry. The most common were:
- sending personal data to the wrong recipient (particularly by email);
- insecure disposal of records;
- loss of paper records or data storage devices; and
- unintended publication of data.
Of the breaches attributable to malicious or criminal attack, the most common types were:
- theft of records or data storage devices;
- cyber attacks; and
- deliberate action by a rogue employee.
The cyber attacks on the healthcare industry mostly involved lost or stolen credentials (such as phishing or brute force attacks).
According to the data, most data breaches in the healthcare industry tend to be small scale – 22% of the reported breaches affected only a single person, and 69% affected fewer than 100 people.
The 2018 Ponemon Institute Cost of Data Breach Study also makes sobering news for the healthcare industry. The Institute’s annual survey collected details on data breaches from 477 organisations in Australia and across the world.
The study found that the average data breach costs healthcare providers an average of US$408 per affected individual. This was more than two and a half times the average cost per individual across all industries of US$148. No other industry came close to the health industry in this statistic – a data breach in the second most expensive industry, financial services, cost an average of US$206 per record. This appears to be consistent with the OAIC’s finding that healthcare data breaches tend to the small scale – it stands to reason that a breach affecting 1,000 individuals will cost less per capita than a breach involving one or two individuals.
The health industry also led in churn rates – a measure of how many customers an organisation lost after a data breach. Health service providers reported losing 6.7% of their customer base following a data breach, almost double the overall average of 3.4%.
The data suggests that not only do healthcare providers suffer more data breaches than any other industry, but that those breaches tend to be more expensive. This means that healthcare providers should be making information security, particularly of personal data, a priority, if only for financial reasons.
The Ponemon Institute study also includes findings on the most effective methods of reducing the cost of a data breach. The study found that the two factors which reduced the cost of a data breach more than any other were:
- having an incident response team, which enables the organisation to response quickly to a data breach to control the extent of the breach and mitigate the harm that results; and
- the extensive use of encryption to protect data during storage and communication, meaning that even if an information system is compromised or a record is accidentally disclosed or lost, the risk of an unauthorised third party gaining access to data is greatly reduced.
Other measures which reduced the cost of a data breach included employee training, use of security analytics and obtaining cyber insurance.
Kennedys’ cyber and data protection practice can assist healthcare service providers in implementing preventative measures and in responding to a data breach.