According to the Ponemon Institute, widely regarded as the pre-eminent research center dedication to privacy, data protection and information security policy, 91 percent of all health care organizations and 59 percent of their business associates have experienced a data breach. In their recent Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data (sponsored by ID Experts), the Institute calculated a 125 percent growth in criminal attacks over the last five years.
While health care organizations have increased their investments in protecting their information, they have not kept pace with the growing threat of cyber attacks. The Benchmark study suggests “half of all health care organizations and business associates have little or no confidence that they have the ability to detect all patient data loss or theft.”
Data breaches not only put your patients at risk, they can cost your organization millions of dollars in HIPAA, state or FTC-levied fines. In fact, the Ponemon Institute cites that the average cost per individual record compromised in a data breach for health care organizations is $315.
So how can your organization manage its cybersecurity risk?
Jeff Short, senior attorney at Hall, Render, Killian, Heath & Lyman, insists that cybersecurity is an organization-wide responsibility, and that IT alone shouldn’t shoulder the burden. “Blaming IT for a data breach is sort of like saying an automobile accident is the mechanic’s problem,” Short says. “Mechanics, in most instances, couldn’t have done anything to avoid an accident. All they can do is make sure you have a functioning car that, when danger is presented, will react the way it’s supposed to react.”
By implementing meaningful training programs and fostering personal responsibility among all employees in regard to protecting patient information, you can create a culture that minimizes cybersecurity risk.
“The complexity of cyber or network risk is unique to each organization,” says John Peterson, practice leader for Aon, a Professional Risk Solutions group.
However, most health care organizations share a similar, sweeping vulnerability: they simply don’t have adequate resources, processes or technologies in place to protect the personal information in their care.
You can check your enterprise security program against a wide range of standards—from the Federal Information Processing Standards to the International Organization of Standardization—to ensure that you’ve implemented a comprehensive security program.
In an increasingly hostile cybersecurity environment, attacks and subsequent data breaches are inevitable. “You manage cybersecurity risk,” Short says. “You don’t control it, you don’t eliminate it, you manage it.”
One of the best ways to manage that risk is to be prepared. Assemble a team dedicated to managing the aftermath of a data breach that includes members of hospital administration, IT, the communications/ public relations department, human resources and legal.
The faster you respond, the less likely you are to pay heavy fines.
The bottom line: by investing in cybersecurity, you not only protect your organization, you also protect the patients who have trusted you with their care and their information.
Learn more in this webinar on Cybersecurity for the C-suite: Managing Multifaceted Risks.