Who doesn’t want to make a quick buck? Criminals certainly do, and that’s why they’ve set their sights on the information-rich healthcare sector, according to findings of the recently released Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute.

According to the Federal Bureau of Investigation (FBI), criminals are targeting the healthcare sector because individuals’ personal information, credit information and protected health information (PHI) are accessible in one place, which translates into a high return when monetized and sold. In fact, PHI records can fetch up to $60 to $70 each, as opposed to about $5 for credit cards, says Jim Trainor, second-in-command at the FBI’s cybersecurity division.

It’s no wonder, then, that the Ponemon study found criminal attacks are up 125 percent in the last five years and the new leading cause of healthcare data breaches. This represents a major shift of data breach causes from accidental to intentional as criminals increasingly target and exploit healthcare data—particularly medical files and billing and insurance records.

Healthcare Organizations Lack the Resources—And Motivation—To Prevent and Detect Attacks

Cyber criminals recognize that healthcare organizations do not have the resources, processes and technologies to prevent and detect attacks and adequately protect healthcare data. While there has been a slight uptick since 2010 in the investments healthcare organizations are making to protect healthcare information, it is not enough to address the rapidly changing cyber-threat environment.

In fact, half of all healthcare organizations and business associates have little or no confidence in their ability to detect all patient data loss or theft. This isn't surprising, since healthcare organizations and their business associates are a community of organizations that share vulnerable patient data. It's a community that provides a larger attack surface, and many points of access, for criminals who are becoming more adept at acquiring and exploiting personal information.

This lack of investment may be partly a reflection of organizational apathy. Only 40 percent of covered entities and 35 percent of business associates are even concerned about cyber attackers, the study found.

Patients Are the Real Victims of Criminal Attacks

Criminal attacks—and the resulting data breaches—harm more than “corporate victims,” as the FBI terms them. They also put patients at risk for medical identity theft. According to the Ponemon/Medical Identity Fraud Alliance 2014 Fifth Annual Study on Medical Identity Theft, medical identity theft nearly doubled in five years, from 1.4 million adult victims to more than 2.3 million in 2014. Many medical identity theft victims report they have spent an average of almost $13,500 to restore their credit, reimburse their healthcare provider for fraudulent claims and correct inaccuracies in their health records. Yet, the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data found that nearly two-thirds of healthcare organizations and business associates do not offer any protection services for patients whose information has been breached.

 Wake Up to the New Threats

The healthcare industry must accept and adapt to the new realities of criminal threats to patient data. According to CBS News, “a 2014 survey of healthcare technology professionals found half spent three percent or less of their technology budgets on cybersecurity.” The standard investment is 10 percent.

Tom Turner, EVP of sales and marketing at Bitsight Technologies, an organizations that rates companies on cyber security, told CBS News he is “absolutely” worried about the security of his own healthcare records. “Healthcare is absolutely performing at the bottom of the other industries,” Turner said. “If you’d like a letter grade for that, maybe a C or D.”

It’s easy to assign these low grades to Anthem-sized organizations. But the reality is that no healthcare organization, regardless of size, is exempt from attacks and resultant breaches. Middle-market organizations can have data breach risk exposure that is just as high as Fortune 500 companies when it comes to the value of their data assets and their potential for becoming targets of cyber criminals. For instance, regional insurer Premera Blue Cross is facing five class-action suits over a May 2014 breach resulting from a cyber-attack. An 18-bed county hospital in Illinois made news in December 2014 when hackers threatened to make 12,000-plus patient records public unless the hospital paid a ransom. And those are just a couple of examples. 

Security Incidents: The root of the Problem

We talk a lot about data breaches, but that’s only the proverbial tip of the iceberg. We need to examine the exponentially more common threat of privacy and security incidents—which can range from a lost thumb drive to missing paper files to what a recent BloombergBusiness article terms “sophisticated data attacks.”

While many organizations have experienced a data breach, security incidents are an everyday cost of doing business. For instance, the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data found that 65 percent of covered entities and 87 percent of business associates experienced electronic information-based security incidents over the past two years. Nonetheless, 56 percent of covered entities and 59 percent of business associates in the Ponemon study don’t believe their incident-response process has adequate funding and resources.

To truly mitigate the risk of criminal attacks and other threats to the privacy of patient data, we must accept their inevitability and plan accordingly. We can and must embed an effective incident-response process into the everyday operations of our organizations. Perhaps the most critical part of this is a consistent, compliant method for performing risk assessments—the process of determining if a security incident is legally a data breach that requires notification. Only then is it possible to plan a response strategy that best protects potential victims against identity theft and healthcare organizations from costly fines, class-action lawsuits, reputational harm and other collateral damage caused by greedy criminals.