How serious is it if your company experiences a data breach? (In the healthcare world, a data breach is when a patient’s name plus their medical record and/or their financial information is unintentionally made available to the public or to criminals.)
It’s serious business. A recent report by The Ponemon Institute, a research firm that studies data privacy and security, estimates that the average cost of a data breach in the healthcare industry is $359 per breached record. That means if a physical therapy business experiences a data breach that compromises 1,000 of its patient records, it will cost them $359,000 to address all the issues related to the breach.
This number includes activities such as engaging forensic experts and providing free credit monitoring subscriptions, as well as hidden costs like in-house investigations and communication and the estimated value of losing patients who change to another provider as a result of the breach.
The long-term effect on attracting and retaining patients cannot be ignored. Consider retail giant Target, which experienced a theft of 40 million credit and debit cards and personal information of 70 million people during the 2013 holiday shopping season. Following that data breach, Target reported its worst fourth-quarter financial performance in its reporting history and replaced its CEO, a 35-year company veteran.
Retailers are attractive targets for criminals because they store so much credit card information. But healthcare data is considered the crown jewels for cybercriminals. Because it is so highly regulated, healthcare is also the most expensive industry for data breaches – at $359 it is more than twice as costly as the typical average ($145).
Reducing Data Breach Costs
The Ponemon report estimated that 94% of healthcare companies have had a breach-imagine that your system was hacked or an employee misplaced a mobile device with confidential data on it. How strong would your security position be?
The following are 3 steps your business can take to decrease the cost of a breach.
- Make sure you have a strong “security posture” – your company’s overall plan for data security
- Prepare an incident response plan
- Appoint a CISO (Chief Information Security Officer) – smaller firms that do not need a CISO should ensure that their Chief Information Officer or head of IT keeps up to date on cyber threats and best practices for dealing with them
Healthcare providers are required by HIPAA regulations to comply with patient privacy and security dictates. You can learn more about privacy and security, and access useful resources at the HealthIT.gov site. The Health Information Privacy and Security: a 10 Step Plan provides an easy-to-follow guide regarding the steps you should take to ensure security. If you have more time, the site has also used “gamification” to create an online game that lets you earn points and badges by making smart choices about privacy and security in a model medical practice. Try it out here!
Read more about IT security in healthcare in our recent post, Get “HIPAA Serious” about Information Security.