The cost of a healthcare breach is about $408 per patient record and that doesn’t include the loss of business, productivity and reputation.
Cyber attacks affect the finances of every hospital and insurer like no other.
“I’ve seen estimates of over $5 billion in costs to the healthcare industry annually,” said Lisa Rivera, a partner at Bass, Berry and Sims who focuses on healthcare security. “That’s enormous and is not going away.”
Beyond the cost to find a solution to fix breaches and to settle any civil complaints are fines from the Department of Health and Human Services Office of Civil Rights. In 2018, OCR issued 10 resolutions that totalled $28 million.
The HHS Office of Civil Rights is stepping up breach enforcement of private health information, according to Rivera, who is a former assistant U.S. Attorney and federal prosecutor handling civil and criminal investigations for the Department of Justice.
What officials want to see is that the hospital or insurer has taken reasonable efforts to avoid a breach.
“There is no perfect cybersecurity,” Rivera said. “They say it’s not perfection, it’s reasonable efforts. That’s going to require an investment up-front to see where data is located, and educating the workforce on phishing incidents.”
“Every sector of business has attacks, but healthcare is experiencing the largest growth of cyber attacks because of the nature of its information,” Rivera said. “It’s more valuable on the dark web.”
It’s also not easily fixed.
If an individual’s credit card is stolen, the consumer can cancel his or her credit card. But in health records, the damage is permanent.
Despite the number of breaches, healthcare has been behind other sectors in taking security measures. Four to seven percent of a health system’s IT budget is in cybersecurity, compared to about 15% for other sectors such as the financial industry, according to Rivera.
Hospitals are behind because first, it’s a challenge to keep up with the move to more information being in electronic form.
“There’s no hospital that doesn’t have mobile EHR information,” Rivera said. “Then there was this transition with incentives from the government to go to electronic medical records. There were vast routes to doing that without a lot of experience involved in doing it. The push to become electronic began happening with this enormous uptick in cyber attacks.”
Also, the focus of healthcare has always been patient care. The population health explosion also involves the sharing of information.
And consolidation across the healthcare industry can potentially make covered entities more vulnerable to lapses in security during the transition and integration phases.
The number one way to cut costs is to prevent a breach. Once one has happened, hospitals must be able to identify it as soon as possible and then be able to respond to it.
Hospitals should be able to determine where certain data goes off the rail, Rivera said. For instance, large systems doing research have outcome information that may not be within the system of protection.
“You don’t want to learn about a data breach because the FBI saw it on the dark web,” Rivera said. And some hospitals have.
It’s a constant battle of software updates and checks. Criminals are pinging systems thousands of times a day. It’s like locking down doors and windows.
The first thing that’s needed for systems large and small is a risk assessment. This is the first thing the OCR wants to see, she said. Many hospitals use an outside vendor to do the job.
Prices for other cybersecurity measures vary from a software purchase that could be in the millions, to having vendor monitoring.
But the cost of a healthcare breach is about $408 per patient record and that doesn’t include the loss of business, productivity, reputation and the service disruption.
Hospitals can also purchase cyber insurance, which varies in cost and coverage. Some obtain it for purposes of class action lawsuits.
THE LARGER TREND
OCR enforcement activity during 2018 demonstrates the agency’s continued emphasis on enforcing violations of the security risk assessment and risk management requirements, Rivera said.
Covered entities and business associates are required to: conduct a thorough assessment of the threats and vulnerabilities across the enterprise; implement measures to reduce known threats and vulnerabilities to a reasonable and appropriate level; and ensure that any vendor or other organization accessing or storing private health information is security compliant.
The OCR concluded 2018 with an all-time record year for HIPAA enforcement activity. The OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This surpassed the previous record of $23.5 million from 2016.
In addition, OCR also achieved the single largest individual HIPAA settlement of $16 million with Anthem, representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. Anthem was held responsible for cyber attacks that stole the protected health information of close to 79 million people.