Each week we read about the number of breaches and cybersecurity attacks that cripple healthcare organizations. Now we are seeing articles and research about the impact cybersecurity breaches and attacks are having on the financial health of healthcare organizations.
All healthcare systems are conscious of the bottom line. Every year we spend weeks on annual budgetary planning and determining long-range fiscal needs. Why is it then, that the cybersecurity plan for many organizations is an afterthought with little planning or budget?
I confess, I tend to find wisdom and insight in lyrics from various styles of music. While reading a research article about the topic of the financial impact of security breaches, a song kept running through my mind;
“Money, get back, I'm all right Jack, keep your hands off of my stack…
Money, it's a crime, Share it fairly but don't take a slice of my pie…”
While Pink Floyd put “Money” on the airwaves in 1973, the words still ring true today. “Keep your hands off of my stack” can refer to the hard earned money organizations generate that could go to new service lines, more physicians, better resources for treatment to name a few, yet, healthcare organizations are having to pay out millions for security breaches.
The point is, the money going out due to cyber attacks and breaches affect future opportunities for the organization. So, what’s happening in the industry that calls me back to my Pink Floyd days?
Here are just a few of the examples:
- According to a July 2019 Ponemon Institute study, the cost of a data breach has risen 12% over the past 5 years and now costs $3.92 million on average per breach
- The financial consequences of a data breach can be particularly acute for small and midsize businesses
- A major part of this rising cost is in fines and restitution. Quoting Susan Morse, Senior Editor at healthcarefinancenews.com, “Cyber-attacks affect the finances of every hospital and insurer like no other.” And the HHS Office of Civil Rights is stepping up breach enforcement of private health information.
According to Lisa Rivera, a partner at Bass, Berry and Sims law firm, what officials want to see is that the hospital or insurer has taken reasonable efforts to avoid a breach. It's not perfection, it's reasonable efforts. It's going to require an investment up-front to see where data is located and education of the workforce.
Despite the number of breaches, healthcare has been behind other sectors in implementing security measures.
Going back to the Ponemon study, they found five factors that can positively affect the financial impact of a breach:
- Shorter detection times
- Number of compromised records
- Utilizing fully deployed security automation technologies
- Extensive use of encryption
- Vet the vendors and monitor third-party access to reduce third-party breach impact
We know the concerns and outcomes from breaches and cyberattacks, and many healthcare systems are now devoting full-time staff to manage breaches as well as making financial investments in security automation technologies. Yet, there are some healthcare organizations today still doing business as usual when it comes to breach management and cybersecurity.
What HHS officials want to see is that the hospital has taken reasonable efforts to avoid a breach. What is reasonable effort? The quick answer is:
- Investing time, resources and yes, money, if necessary
Every one of us can make reasonable efforts to avoid a breach and avoid
cyber-attacks. Not perfect, but reasonable.
Cybersecurity expert, Tony Scott, Founder/CEO of Technical Financial Services recently presented a webinar, “Tips for Winning the War on Cybersecurity” where he shared the healthcare breach risk areas of greatest concern, as well as tips for how you can lower your risk for a breach. You can listen to the recording here.
If you want to learn more about solutions and ideas to help you with your reasonable efforts to avoid a breach, please contact me.