42% of Healthcare Organizations Have Not Created an Incident Response Plan

Hacks, ransomware attacks, and other IT security occurrences are the reason for most data breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights, however, data breaches relating to physical documents are also prevalent. The Verizon Data Breach Investigations Report revealed that compromised physical files were 43% of all data breaches in 2021, which shows the necessity of data security steps to be put in place covering all types of data.

The healthcare market is substantially targeted by cybercriminals and cyberattacks surged during the COVID outbreak. Healthcare cyberattacks increased by 73% in 2020, with those breaches causing the exposure of 12 billion pieces of protected health information (PHI), based on the 2021 Data Protection Report just released by Shred-It.

The report is according to an exhaustive survey of C-level executives, small- and medium-sized company owners, and consumers throughout North America and determines the number of areas where businesses could boost their defenses against external and internal threats.

Healthcare data breaches are the most expensive of any business. The average cost is $9.23 million per incident and data breaches like ransomware attacks put patient safety in danger. 62% of healthcare companies stated they thought a data breach could be pricey, with 54% stating a data breach could have a big impact on their reputation. 56% of surveyed healthcare companies mentioned they have already suffered a data breach, and 29% stated they had encountered a data breach in the last 12 months.

Due to the necessity to adhere to HIPAA, healthcare providers were better prepared than other sectors to stop and handle security incidents. About 65% of surveyed healthcare companies say they have the proper information security software and resources. Although the healthcare sector was more likely than any other sector to possess an incident response plan, 42% of survey respondents mentioned an incident response plan had not been executed, though having an incident response plan was shown to reduce the recovery time and minimize the cost of a data breach.

75% of healthcare organizations stated data security is a leading priority at their company, and 61% mentioned they have employed a third-party security professional to assess their security protocols. Nonetheless, only 64% use information security policies, under half (48%) have normal infrastructure auditing, and just a third (33%) carry out vulnerability checks.

The survey showed 22% of data breaches were due to errors by workers. The greatest obstacles to employees adhering to data security policies and protocols were:

  • 49% – insufficiency of understanding the threats and dangers
  • 41% – lack of accessibility to or understanding policies
  • 10% – insufficiency of regular training and security awareness programs

Though the healthcare market is better ready compared to some other markets, the survey indicates there is substantial room for development. Shred-It recommends that healthcare firms should create a detailed plan taking care of all information, utilize a data minimization approach, take advantage of the cloud, spend on endpoint detection and response solutions, develop an incident response plan, and encrypt all data on-premises, in the cloud, and in transit.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone