A report from Software Advice finds evidence that some data in the healthcare industry isn’t secure, even though it’s more digitalized now than ever.
What happened
A new report from Software Advice, a business software review service, recently released some surprising information regarding healthcare data.
The company conducted an online survey of 296 respondents working in healthcare organizations. It excluded organizations that outsource 100% of their IT management or cybersecurity.
Collectively, the report determined that 87% of healthcare data is now stored digitally. While that’s not surprising, the bigger question is regarding its safety–especially as massive data breaches continue to be reported regularly.
The report found nearly half (42%) of the medical practices surveyed have experienced a ransomware attack at some point. 48% of those attacks directly impacted patient data. 27% of attacks directly impacted patient care, meaning they led to diversions, delays, or downtime.
Considering the critical nature of medical care, these issues can have lasting impacts on patients and the communities served. The report added, “For most businesses, downtime resulting from a cyberattack impacts production, profits, and even reputation–but when systems go down at a healthcare facility, medical records become inaccessible, devices malfunction, and critical procedures are delayed.”
Going deeper
The report discovered several other interesting statistics about the current state of healthcare.
For instance, 34% of healthcare organizations hit by an attack were unable to recover patient data. Many of these organizations regained data using backup systems, allowing the attacker to retain–and potentially sell–their protected health information.
Approximately 17% of organizations also paid a ransom to recover data, although 4% of the organizations were unsuccessful. In general, it’s advised that companies do not pay ransoms.
Perhaps most shocking is that 37% of healthcare organizations do not have a cybersecurity response plan. These plans generally include:
- A formal definition of a cybersecurity incident along with ratings and prioritization protocols
- Defined roles and responsibilities
- Documented communication protocols
- Reporting requirements and contact forms.
Without a cybersecurity response plan, organizations may be left with their wheels spinning, unable to act quickly when it is most critical.
Why it matters
With so much data now stored online, companies need to prioritize security and protection. Considering breaches have skyrocketed, and will likely continue to do so, companies must be prepared.
Many smaller organizations often think a breach is unlikely, but it’s still possible for these companies to be targeted or impacted by third-party breaches, accidental disclosures, and more.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
