Many healthcare organizations rely primarily on their IT departments to prevent data breaches. C-suite leaders are apt to congratulate themselves if their security systems pass so-called “penetration tests” with flying colors. But here’s the bad news: only 8% of the data breaches listed on Health & Human Services’ “Wall of Shame” are due to hacking. That means that 92% of data breaches come in the form of simple yet costly human errors: losing a laptop, taking a coffee break without locking down a keyboard, and so on.
These aren’t the kind of data breaches that make national news, like the ones that occurred recently at Target and Neiman-Marcus. But they carry some very serious costs that can run into the millions, ranging from the obvious (legal/regulatory penalties, remediation, class-action lawsuits) to the unforeseen (such as major disruptions to clinical and operational performance or lost business due to reputational damage).
It’s in every healthcare IT department’s best interest to alert senior management to the non-technical security gaps that exist – and to get the funding needed for a thorough organization-wide security risk analysis. In recent months, the Office for Civil Rights has imposed corrective action plans and settlements on healthcare organizations including WellPoint and Affinity Health. The common denominator in all these actions: none of the organizations had conducted a security risk analysis.
Here are some of the dangers that can be mitigated by a comprehensive risk analysis:
Mistakes made by your business associates – HIPAA’s expanded privacy, security and breach notification rules now apply to a healthcare organization’s many business associates – all the vendors and service providers who could potentially compromise patient data. Last year, business associates were responsible for disclosing nearly 13 million patient records.
Inadequate control of company laptops and mobile devices – If your organization loses a laptop containing 5,000 patient records and there’s a resulting data breach, the costs can easily reach seven figures. And that doesn’t include the harder-to-calculate costs of lost business or lost productivity.
Overnight damage to your organization’s reputation – In the wake of its highly publicized data breach last holiday season, Target’s first quarter 2014 profits dropped a whopping 46%. And the reputational damage can be just as severe in healthcare. For example, when one of the nation’s leading healthcare providers recently notified the media of a data breach, a competitor ran a full-page ad the next day heralding its own data security strengths.
Angry patients filing class-action lawsuits –A study by Temple University’s Beasley School of Law found that the average settlement award in data breach class-action suits is $2,500 per plaintiff, with mean attorney fees of $1.2 million. Sometimes those costs rise even higher, as in the $1 billion lawsuit filed in 2011 against Sutter Health.
Cyber-liability insurance is shockingly expensive – Some healthcare organizations feel that cyber-liability insurance is a fail-safe Plan B. But annual premiums are in the $200,000 range, with deductibles as high as $500,000. For a tiny fraction of that amount, you can do a rigorous risk analysis – and perhaps avoid this costly coverage entirely.
Data Security Is A Shared Responsibility
Every healthcare technology executive has the responsibility to tell senior management that data security involves much more than firewalls and encryption. No matter how safe your system is from wily hackers, your organization can still wind up on the HHS Wall of Shame due to completely avoidable human errors.
The best way to avoid that is to conduct a thorough security risk analysis and make it the cornerstone of your data security program. Preventing data breaches isn’t solely an IT issue. It’s an organization-wide responsibility that should be a top priority with everyone in human resources, compliance and the C-suite.
Bob Chaput, CISSP, HCISPP, CIPP, is CEO of Clearwater Compliance, a HIPAA/HITECH advisory firm in Brentwood, Tennessee.