Ponemon Institute Research Reveals Majority of Healthcare Vendors Have Experienced a Data Breach Exposing Protected Health Information
Post Summary
According to Ponemon Institute research, 54% of healthcare vendors have experienced at least one data breach exposing protected health information (PHI).
The average cost of a healthcare vendor data breach is $2.75 million, with nearly 10,000 records exposed per breach.
55% of vendors say risk assessments are costly and time-consuming. 64% of vendors find risk assessment questions confusing and ambiguous. Static assessments become outdated quickly, with 59% of vendors reporting that assessments are obsolete within three months.
Automation: 61% of vendors believe workflow automation would streamline the process and reduce costs by up to 50%. Collaboration: Vendors and providers must work together to create transparent, effective policies and procedures. Frequent updates: Regularly updating assessments ensures they remain relevant in a rapidly changing threat landscape.
54% of vendors believe a single data breach would result in lost business and revenue. 28% of vendors report losing business after providers discovered gaps in their privacy and security practices.
Average Healthcare Vendor Breach Costs $2.75 Million and Exposes Nearly 10,000 Records; Most Vendors Would Not Notify Providers Immediately After Breach
BOSTON – (BUSINESS WIRE) – More than half of all healthcare vendors have experienced a data breach that exposed protected health information (PHI), and it’s a costly problem that points to broken third-party risk assessment processes, according to new data released today by the Ponemon Institute and Censinet®.
The report, ”Are Risk Assessments Failing to Secure the Third-Party Healthcare Ecosystem?”, conducted by Ponemon Institute and sponsored by Censinet, shows that 54 percent of healthcare vendors have experienced at least one data breach of protected health information belonging to patients of the healthcare providers they serve. Of those 54 percent of respondents, 41 percent experienced six or more data breaches over the past two years. The average breach costs $2.75 million and exposes nearly 10,000 records.
Additionally, 54 percent of healthcare vendors believe that a single data breach would result in lost business and revenues from the healthcare providers they sell to, while 28 percent of vendors say that healthcare organizations have chosen another service or solution after they discovered gaps in the vendor’s privacy and security practices. This may be why only 36 percent of vendors would immediately notify providers if they confirmed a data breach that involved their PHI.
“The overall process for managing risk assessments is severely broken in healthcare,” stated Ed Gaudet, CEO and Founder of Censinet. “As an industry we must empower vendors with the right tools and behaviors that give healthcare providers the level of transparency, security and confidence they need to protect their business.”
Many of the vendor respondents believe that healthcare providers do not fully embrace risk assessments to accurately measure and manage third-party risk. For example, nearly half (41 percent) of healthcare vendor respondents said that providers do not require any action to be taken if they discovered gaps in vendors’ privacy and security practices and policies, and 42 percent say that providers do not require proof that the vendor complies with privacy and data protection regulations.
“Healthcare vendors and providers must move from simply checking a box to changing the culture,” continued Gaudet. “This is an industry-wide problem and as such we need a new, collaborative approach that makes it easy for healthcare vendors and providers to band together and take action, implementing policies, procedures and controls that reduce risk holistically.”
The Broken Process of Healthcare Risk Assessments
The research points to a fundamental failure of vendors and providers to work collaboratively to accurately measure third-party risk, largely because of the shortcomings of legacy risk management assessment processes. According to the research, 55 percent of vendors say that risk assessments required by healthcare organizations are costly and time consuming, with vendors spending an average of $2.5 million annually to fill them out. This may be because 43 percent of vendors are still using spreadsheet-based processes for risk assessments.
Despite the effort vendors expend completing risk assessments, it’s hard to determine how accurate they are because 64 percent of vendors believe risk assessment questions are confusing and ambiguous. Additionally, the rapidly changing threat landscape has made static risk assessments far less effective; 59 percent of respondents say that the risk assessments they fill out become out of date within three months or less, but only 18 percent say that healthcare providers require them to update the assessments more than once per year. This may be why only 44 percent of vendors believe that risk assessments actually improve their security posture – a number that points to the misallocation of time and resources fueled by the need to check the box, rather than effectively mitigate risk.
“This research highlights many of the shortcomings in the risk assessment process and just how inadequate and ineffective industry certifications and frameworks are today for vendors,” stated Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute. “According to the research, 55 percent of vendors say that these certifications do not provide enough value for the cost, while 77 percent indicate challenges with the certification process, including respondents who believe it is too time-consuming, too costly and too confusing.”
When asked about ways to improve the risk assessment process, healthcare vendors overwhelmingly turned to automation. According to the research, 61 percent of vendors believe that workflow automation would streamline the risk assessment process and 60 percent think workflow automation would make risk assessments more cost-effective. If the risk assessment process were automated, vendors believe that the costs incurred would be reduced by up to 50 percent.
To download the full report, please visit: https://censinet.com/ponemon-research-report-vendor-study/
For more information, please visit https://www.censinet.com.
About Censinet
Censinet provides the first and only third-party risk management platform built by and for healthcare providers to manage the threats to patient care that exist within an expanding ecosystem of vendors. With its unique Censinet One-click AssessmentTM capabilities and Digital Vendor CatalogTM, the Censinet Platform reduces the time to assess vendor risk from weeks to seconds, while automating inefficient workflows and providing continuous real-time insights into the changing risk profile of each vendor. Censinet is based in Boston, MA and can be found at https://censinet.com/.
About Ponemon Institute
Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries. For more information visit https://ponemon.org/.
Contacts
Dan Gaffney
fama PR for Censinet
(617) 986-5036
censinet@famapr.com
###
Key Points:
What percentage of healthcare vendors have experienced a data breach exposing PHI?
- According to Ponemon Institute research, 54% of healthcare vendors have experienced at least one data breach exposing protected health information (PHI).
- Of these, 41% of vendors reported experiencing six or more breaches in the past two years.
What is the average cost of a healthcare vendor data breach?
- The average cost of a healthcare vendor data breach is $2.75 million, with nearly 10,000 records exposed per breach.
Why are current risk assessment processes failing in healthcare?
- Costly and time-consuming: 55% of vendors report that risk assessments are expensive, with an average annual cost of $2.5 million to complete them.
- Confusing and ambiguous: 64% of vendors find risk assessment questions unclear, leading to inefficiencies.
- Outdated assessments: 59% of vendors say risk assessments become obsolete within three months, yet only 18% of healthcare providers require updates more than once per year.
- Ineffective outcomes: Only 44% of vendors believe risk assessments improve their security posture, highlighting a misallocation of time and resources.
What are the consequences of ineffective risk assessments for healthcare vendors?
- Lost business: 54% of vendors believe a single data breach would result in lost business and revenue.
- Provider rejection: 28% of vendors report losing business after providers discovered gaps in their privacy and security practices.
- Increased costs: Vendors spend significant resources on risk assessments that fail to deliver meaningful security improvements.
How can the risk assessment process be improved?
- Automation: 61% of vendors believe workflow automation would streamline the process, reducing costs by up to 50%.
- Collaboration: Vendors and providers must work together to create transparent, effective policies and procedures.
- Frequent updates: Regularly updating assessments ensures they remain relevant in a rapidly changing threat landscape.
- Standardization: Simplifying and standardizing risk assessment questions can reduce confusion and improve efficiency.
Why is automation critical for improving risk assessments?
- Automation reduces the time and cost of completing risk assessments, making the process more efficient.
- It ensures assessments are updated regularly, keeping pace with the rapidly evolving threat landscape.
- Automated workflows eliminate manual errors and provide real-time insights into vendor security postures.
What is the ultimate goal of improving risk assessments in healthcare?
- To create a more secure third-party ecosystem that protects patient data and reduces the risk of breaches.
- To foster collaboration between vendors and providers, ensuring transparency and trust.
- To streamline the risk assessment process, saving time and resources while improving security outcomes.
- To enable healthcare organizations to adopt innovative technologies safely and efficiently.
