Cybersecurity is considered as a key business risk by most healthcare organizations not just because of its potential impact to the organization’s bottom line, but also because of the many distractions caused by a cybersecurity incident.
Cybersecurity is about maintaining the confidentiality of sensitive information. According to the 2018 IBM/Ponemon Cost of Data Breach report, the cost of a breached healthcare record is at a highest point ever at $408 per record. This cost includes items such as legal fees, incident response, notification costs, loss of reputation and business, etc. If you take the example of a clinic with 20,000 individual records in its Electronic Health Record system, a data breach could add up to a whopping $8M.
In addition, a data breach will have to be reported to the Office of Civil Rights (OCR) and may lead to additional scrutiny. Following a complaint investigation or compliance review, the OCR can negotiate resolution agreements requiring covered entities to take needed corrective action to comply with HIPAA Privacy and Security. As stated on the U.S. Department of Health & Human Services’ website, “these agreements can be far-reaching, statewide agreements that call for a systemic change in the way a state does business.”
In addition to financial costs and internal churns, healthcare organizations must face the impact to patients — real people in their community who can be preyed upon and have their identity stolen and medical situation exposed. People who need medical treatment should not have to deal about that.
But Cybersecurity is not just about confidentiality, it is also about maintaining the integrity of the information and keeping the systems up and running to facilitate patient care. A compromised system can also mean that real physical harm can be done to patients. Infusion pumps, pacemakers, MRI, heart monitors, and other medical devices have already been hacked. The trend of connecting medical devices to the network has increased dramatically these past years, thus increasing the exposure to cyber threats. Although the U.S. Food and Drug Administration (FDA) has released guidance about securing medical devices, this is, unfortunately, not a focus area for most healthcare organizations because of a lack of resources available to help.
Finally, compliant is not secure. It is not enough to be “compliant with HIPAA” to keep data secure. Compliance is being able to demonstrate that an organization has taken sufficient steps to meet the intent of the regulation at a certain point in time. Being secure is a journey that starts by being aware of the long road ahead, and then taking increment steps to be better, every single day.
If you are looking for help in that domain, please contact us and let’s start a discussion on how to better protect your organization.
Gui Cozzi, Cybersecurity Practice Lead at Dean Dorton. He can be reached at gcozzi@ddaftech.com.