$5.6 billion. $5,600,000,000. Seeing the amount, instead of just reading the amount, gives it more meaning — at least to me it does. That rather large number is how much privacy breaches cost the healthcare industry annually. Each healthcare organization spends almost $2 Million ($2,000,000) over a 2-year period to address attacks. The most troubling trend is that the attacks on healthcare organizations are on the rise and expected to continue.
Earlier this year, Health Data Management invited eight top-level hospital representatives to a roundtable in New York to discuss how healthcare organizations can combat privacy threats. During this session these experts shed light on the biggest threats to patient privacy and what they’re doing to safeguard medical records.
Why is healthcare susceptible to attacks?
There are several reasons:
- Healthcare technology has lagged.
- The massive amounts of data, and the robustness of the PHI available, have made healthcare information targets for hackers.
- Education — Staff is still vulnerable to phishing attacks. And the phishing attacks have become more sophisticated. It’s no longer clicking a link to claim long lost money from a distant relative. It’s an email from your Manager, Vice President, or CEO asking you to look into a critical issue (that happens to require your credentials in order to log in).
- Business vs. balance — healthcare isn’t in the security business and your care providers don’t have time to jump through hoops in order to access patient data.
- Business vs. budget — some of the mitigation tools are expensive and it can be difficult to justify spending the money to prevent something that hasn’t happened to your organization.
- Security can be an afterthought on both sides.
- Products are being developed and released with security of the data not being a priority.
- Healthcare tends to be reactive and applies the security band-aid as needed. For 40% of hospitals, security is a part-time position.
Policies, Procedures, and Technology
Patient Privacy and Security need to be engrained in all aspects of your organization. There are three elements of any patient privacy compliance program that reduce the risk of a data breach and provide a solid foundation for security and patient privacy — Policies, Procedures, and Technology.
- Policies: Perform account hygiene regularly to review users’ roles and access to PHI.
- Procedures: Continually communicate and educate the staff on your privacy and security procedures to enforce the conditions stated in the privacy policies.
- Technology: Apply technology to automate patient privacy monitoring and proactively find insider snooping and privacy breaches. Iatric Systems Security Audit Manager has an array of reports — proactive, behavioral, and medical identity reports that detect potential instances of inappropriate behavior.
Protecting PHI is not just about data — it’s the personal history of an individual, and represents a bond of trust between the patient and the hospital entrusted with their data. A hospital’s ability to maintain that trust is vital to its image, reputation, financial success, and longevity. It is not only the $5.6 million in costs associated with a breach that you need to consider, but also the cost when intangible assets are compromised.