14 Aug 2019
Your organization’s finances can be affected by a variety of factors; everything from client engagement to marketing is critical to consider. But most recently, studies have shown that the most important issue for healthcare providers may also be the one you are least prepared to address: cyber attacks. As of July 30, 2019, the average cost of a breach in healthcare systems is about $408 per patient record, which doesn’t take into account the impact it can have on business, productivity, and your organization’s reputation. Lisa Rivera, a partner at healthcare security firm Bass, Berry and Sims, reports that estimates of annual costs to the healthcare industry can reach up to $5 billion. In the past, the Department of Health and Human Services’ Office of Civil Rights has issued fines to resolve these breaches—resolutions that, in 2018, totalled $28 million. The fines are meant to assure that the affected hospital or insurer takes the appropriate steps to remedy problems caused by the cyber attack, as well as ensure the organization bolsters its defensive capabilities to protect against another breach.
A Sitting TargetHospitals are a particularly potent target for attackers purely because of the nature of their information. According to Rivera, healthcare is experiencing the largest quantity of cyber attacks out of any other business sector because clients’ health information is more valuable on the dark web. And yet despite the number of breaches, healthcare lags behind the other sectors when it comes to taking security measures. Whereas other business sectors place about 15% of their IT budget in cybersecurity, the average healthcare budget ranges between 4-7%. Why might this be? Many hospitals are still struggling to make the transition to electronic record systems. The push began with a transition with incentives from the government, but there were countless possibilities to upgrade without a lot of experience involved in doing it, and as a result, hospitals’ cybersecurity systems are more likely to be outdated or more vulnerable than most.
Know Your WorthThe most effective way to cut costs and avoid crippling fines is, of course, to prevent security breaches. But that’s much easier said than done—so how exactly can you make it happen? Preventing a cyber attack means identifying and responding to it as soon as possible. That means constantly conducting software updates and system checks, being able to determine if certain data has been tampered with, and blocking criminal contact with your organization’s systems. Because the first thing the Office of Civil Rights recommends is a risk assessment, our HIPAA Risk Assessment is a comprehensive, proactive place to start. This service evaluates all levels of your organization, including:
- Risk Management — Evaluate information and resources to ensure the capability to make risk management decisions
- Policy and Procedures — Ensure policies and procedures follow best practices and are properly implemented
- Infrastructure Security — Workstations, services, and server meet best practices security standards
- Network security — Ensure network is secure and properly monitored
- Data security — All PHI and data is secure and protected