Recent ransomware cyberattacks are a wakeup call to the healthcare industry.  The significant street value of stolen protected health information (PHI) makes the electronic healthcare industry a perfect target.  If your organization is a victim of this type of hacking, the number of individuals affected may be massive and the costs may be overwhelming. Even worse, your organization’s reputation may suffer irreparable harm.

According to the Ponemon Institute’s 2017 Cost of Data Breach Study, the average cost of a data breach per record is $141 throughout all industries. However, the average cost per record in the healthcare industry is $380. Furthermore, the total number of records involved will affect the overall cost; the larger the breach, the higher the costs of notification and ongoing post- notification monitoring. In addition to the size of the breach, timing to discovery could have a significant influence on the outcome. Any delay in breach discovery, reporting, notification and monitoring could worsen the adverse effects on the individuals.

The study identifies the top 3 factors to reduce per capita costs of a data breach:

1) presence of an incident response team
2) heavy usage of encryption
3) extensive employee training

What does this mean for your organization?

  • Incident Response Team
    Necessary personnel must be ready to respond to a security incident immediately. The team must address any incidents originating from inside or outside of the organization. Although hacking continues to be widely reported in the media, keep in mind that a healthcare data breach is more likely to occur as a result of actions taken by an authorized user from the inside.   Certainly, the sheer number of individuals potentially affected by a single hacking incident is the main cause for concern.  The Office of Civil Rights (OCR) created a  quick response checklist for healthcare organizations faced with a cyber-related security incident. Be sure to incorporate these steps into your policies and procedures.
  • Encryption
    The organization should use all of the tools available to ensure that protected information is secure at rest and in transmission.
  • Employee Training
    All staff must receive appropriate Security Awareness Training to understand the risks, vulnerabilities and threats to your organization.  More importantly, each employee must know who to contact in the event a potential breach is suspected.

 

For further information on these topics, please view our educational webinars:

Is this a HIPAA Breach: If So, What Now?

HIPAA Security: Monitoring Access, Incident Management and Detection