IBM Says that 2015 is the “Year of the Healthcare Breach”

Jonathan-Krasner200By Jonathan Krasner, Director of Business Development, HIPAA Secure Now!
Twitter: @HIPAASecureNow

At the end of the year all kinds of publications and organizations publish yearly summaries to review the events of the past 12 months. Much of the time this can be positive publicity for a celebrity, firm, organization or industry. In this case, for healthcare, it is decidedly negative. Why has IBM made this proclamation? According to a company report just released, over 100 million records were compromised in the first half of 2015. In addition “healthcare ranked #1 in terms of records compromised, with nearly 34 percent of all records compromised across all industries”. Part of this is due to the fact that breaches are up overall, and healthcare is receiving its “fair share” of the breaches committed. But there is more to it than that.

It turns out that cybercriminals are learning that medical data is the most lucrative out there. It can be monetized in many different ways. CIO magazine says “health records are the new credit cards”. Reports vary, but consensus is that health records are worth 10 to 50 times what a credit card on the black market. Also, according to a 2014 report from cybersecurity firm BitSight, the health care industry has been lagging behind when it comes to security effectiveness. The combination of valuable data and lack of security effectiveness is why the healthcare industry is facing such a big crisis when it comes to securing electronic Protected Healthcare Information (ePHI).

CyberSecurity Issues can affect financial standing

Moody’s, the credit rating firm, also recently came out with a report on a related issue – credit worthiness. Moody’s assigns credit ratings to organizations, which affects the ability to attract financing and interest rate paid on loans. According to Moody’s Jim Hempstead, “While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios.” Organizations are well advised to take a look their cyberliability and take necessary precautions such as performing Risk Assessments and procuring a cybersecurity insurance policy.

Cost to Patients

Of course, the real cost of a data breach is borne by patients. According to Becker’s Hospital Review, the average cost of a HIPAA related breach to an individual is about $19,000. These costs can show up in many different ways. Patients can suffer direct financial loss as a result of theft from bank accounts and credit cards. Credit ratings can also be damaged resulting in significant time and expense on the part of the patient for remediation. Thieves will also use false medical records to obtain care. A Wall Street Journal article highlights the plight of Kathleen Meiners whose son suffers from Downs Syndrome and was such a victim. Ms. Meiners spent months fighting collection notices to fix his medical records.

Reputational Harm

A data breach can always come back to haunt a practice. All patients that have data breached are required by HIPAA to receive notices. However breaches over 500 records must publicized and divulged on the HHS “Wall of Shame”. Almost half of patients who participated in a Ponemon Institute survey said they would switch providers if their medical records were stolen. Here is a quote from one such patient, affected by a breach in Alabama: “You go into the doctors office trusting the doctor that you’re going to be taken care of, and then the next thing you know, all your personal information has just been thrown out into the wind,” said Jonathan Overbey, a patient affected by an incident at American Family Care. “Now I’ve got to spend a lot of time and trouble that I don’t have, in order to keep an eye on this,” said Overbey.

The Bottom Line

The bottom line on all this is that cybersecurity (or the lack thereof) can affect your bottom line. Don’t ignore the risks associated with protecting the medical data you are entrusted with. You already provide clinical care – provide the proper “record care” to the medical data in your practice to avoid potential costly, undesirable outcomes down the road.

About the Author: Jonathan Krasner brings 25 years of IT and seven years of Healthcare IT, HIPAA and Meaningful Use experience to HIPAA Secure Now!, with positions held in account management, business development, strategic planning and consultative selling. This article was originally published on HIPAA Secure Now! and is republished here with permission.