Healthcare security threats are ever-changing and ever-growing. And so are their associated costs. The costs of healthcare data breaches are among the highest of any industry. Each breach costs $380 per record — or $6.2B globally.
With 90% of hospitals reporting a breach, the risk of facing these costs is all too real.
Where do all these costs come from?
The costs of a breach are manifold. Healthcare providers pay large sums in data forensics, breach notification and monitoring, legal fees, HIPAA fines and post-breach cleanup. Implementing or hardening security systems is an additional cost that will have to be borne. In addition, there’s the added cost associated with loss of brand reputation.
Different types of breaches have different associated costs. While we tend to think of glitches and human error as being the main issue, malicious attacks are actually the most common – accounting for 52% of all data incidents in the US. And these types of attacks are associated with the highest costs.
Just how bad can a data breach be?
A recent Grey’s Anatomy episode showcased a healthcare provider’s worst nightmare. In the episode, a hacker took over the fictional Grey Sloane Memorial Hospital’s computer network, locking doctors out of patient records and taking control of building utilities, including HVAC and access.
Grey’s may be a work of fiction, but much of the episode was grounded in possibility. Lax wifi security, along with vulnerable network architecture and design, could result in a serious breach that puts not just patient privacy at risk, but patient lives as well.
Other factors that put healthcare systems at risk are compliance failure, non-secure cloud migration, third-party error and the theft or loss of devices. Together, these risk personal, medical, financial and operational data. Expensive equipment and the smooth performance of a healthcare facility are also at risk.
What can we do to protect our systems?
Healthcare providers need to take preventative measures around patient data and cybersecurity. They should invest in ongoing data protection strategies to help keep networks, devices and end-points secure. Security around patient portals and wifi systems is also essential.
Privacy should be built into all information architecture as an essential ground-up component, rather than as an add-on; examples include collecting only essential information, anonymizing it and encrypting it.
Healthcare providers should also have up-to-date incident response plans in place, as well as data encryption and data loss prevention measures. Employee training can also help reduce breaches.
While awareness of the problem is a start, healthcare providers need to proactively deal with the risk of data breaches. This means not only designing to handle known problems, but designing to avoid falling prey to emergent ones.
To do so, healthcare providers should invest not just in technology, but in a clear vision and strategy for their organization’s security.