$6.2 billion.

That’s the new estimate of how much data breaches cost the health care industry annually, according to a new study by the Ponemon Institute. What’s more, despite the increased frequency of breaches, the study found that “many organizations lack the money and resources to manage data breaches caused by evolving cyber threats, preventable mistakes, and other dangers.”

These are among the wide range of findings in Ponemon’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. Published in May 2016, the new report brings updated insight to the research firm’s annual study of cybersecurity in today’s health care sector.

One of the key reasons for the incredible increase in the number of breaches in health care is that every year cyber criminals’ capabilities increase. Meanwhile, health care organizations’ cybersecurity efforts are not keeping up with cyber threats due to limitations in budgets, resources, technical capabilities and C-suite support.

Based on the findings, it’s not surprising that the vast majority of respondents agree that health care organizations are more vulnerable to data breaches than other industries.

Annual Health Care Security Study’s Key Findings

  • Nearly 90 percent of health care organizations had a data breach in the past two years.
  • Nearly 50 percent had more than five data breaches in the past two years.
  • The majority of the breaches were small, containing fewer than 500 records.
  • The average cost of each data breach is estimated to be more than $2.2 million.

This is the 2nd year that the Ponemon study has included business associates, those organizations that provide services on behalf of healthcare organizations that involve the use or disclosure of protected health information. The inclusion of organizations such as pharmaceutical firms, IT software providers, claims processers, transcriptionists and medical device companies  provides additional insight to the challenges to information privacy and security that the health care industry is facing. .

The report shares insights on several topics related to cybersecurity in the health care sector, including the root causes of security breaches.

Top Five Root Causes of the Data Breaches

Healthcare Organizations Business Associates
#1 Criminal Attack (50%) Unintentional Employee Action (55%)
#2 Third Party Snafu (41%) Third Party Snafu (52%)
#3 Stolen Computing Device (39%) Criminal Attack (41%)
#4 Unintentional Employee Action (36%) Stolen Computing Device (33%)
#5 Technical Systems Glitch (29%) Technical Systems Glitch (24%)


“When we first started doing this survey six years ago, the negligent or careless employee was the … most significant threat [for the healthcare organization]. Now it’s the criminal,” stated chairman Larry Ponemon, as reported by Healthcare Info Security.

Now the negligent or careless employee is, at this moment, the most significant threat for business associates.  And healthcare organizations reported that the #1 root cause of medical identity theft resulting from a breach was an unintentional employee action!

Health Care Entities “Not Vigilant”

The survey also examined the issue of accountability around protecting patient information.

Top 4 reasons healthcare organizations and their business associates believe they have a target on their backs

Healthcare Organization

Business Associate

Health care organizations are not vigilant in ensuring their partners and other third parties protect patient information 51% 32%
Healthcare organizations are not hiring enough skilled IT security practitioners 44% 42%
Healthcare organizations are not investing in technologies to mitigate a data breach 41% 50%
Healthcare employees are negligent in the handling of patient information 35% 54%


Among the findings related to accountability issues are:

  • 3 out of 5 health care organizations and business partners either don’t think or are unsure that their organization’s security budget is sufficient to curtail or minimize data breaches
  • 1 out of every 2 healthcare organizations do not believe their incident response process has adequate funding and resources.

New Assets and New Threats

New assets creating, receiving, maintaining and transmitting PHI are causing organizational headaches:  mobile devices, mobile apps, public cloud services, employee-owned mobile devices (BYOD) are now on the top list of organizational concerns especially when combined with the fear of negligent or careless employees.

Security Threats healthcare organizations worry about most

Employee Negligence 7 out of 10
Mobile Device Insecurity 1 out of 3
Use of Public Cloud Services 1 out of 3
BYOD 1 out of 4
Insecure Mobile Apps 1 out of 5


45% of healthcare organizations are worried about cyber attackers.  One out of every two healthcare organizations and business associates are worried about denial of service (DoS) attacks followed by ransomware and malware.

Fighting back?

Despite the worries, the conduct of a risk analysis is neither assured nor predictable. “The majority of organizations assess vulnerabilities to a data breach, but it is a rare event.”  For those healthcare organizations who say they assess vulnerabilities (60%), less than half (43%) admit there is no regular schedule.

You might think, in the face of increasing cybersecurity threats and costs of breaches, a growing number of health care organizations would be implementing more powerful defense measures starting with a bona fide risk analysis as recommended by HHS. Required by the Security Rule (§ 164.308(a)(1)(ii)(A)), a risk analysis is the first step in identifying and implementing safeguards to protect the privacy and security of PHI.  Not once and done, but every time operations, technology, or processes change.

Contact us today for more information about how we help organizations to build and improve their cybersecurity and information risk management programs.


Clearwater Compliance

Clearwater Compliance helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI).

We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.