November 30, 2016

Threats to Patient Data Security From the Board’s Perspective

Kira Caban, Director of Communications, Protenus

With a plethora of studies and articles maintaining that the healthcare industry is behind when it comes to security, many healthcare organizations are re-evaluating the resources being used for patient data security. And, of course, the board of directors is very influential when it comes to decisions associated with the privacy and security of patient data.

Some of our previous posts have explored the more personal side of healthcare data breaches, examining why criminals steal electronic health records (EHRs) and how this affects patients. In this post, we are going to take a step back and look at the bigger picture, examining threats from the perspective of the board of directors and why it’s imperative for them to gain a thorough understanding of the looming threats to their organization's EHR.

Review our Cost of a Breach white paper to understand how threats to patient data can cost your organization.

Knowledge is Power: Understanding the Situation

One of the first steps a board of directors can take is to gain an understanding of what the true threats are to their EHR systems.  Armed with this information and knowledge of the possible repercussions of a data breach, they can make more informed decisions regarding patient data security within their organization.

And these repercussions can be costly. In its 2016 Cost of a Data Breach Study: Global Analysis, Ponemon Institute found that the estimated cost of a data breach across multiple industries is $4 million and that healthcare breaches are, on average, more expensive than other types, costing approximately $402 per affected record.

Nevertheless, even after a healthcare organization has paid the short-term costs of a data breach, such as notifying customers, conducting a forensic investigation, and paying any HIPAA fines, it will continue to feel the aftereffects of a breach in the form of reputational losses and customer churn. Lost business is the single largest cost of a data breach and customer losses, “reputational losses and diminished goodwill” will cost an organization approximately $3.97 million. This number comes from an examination of multiple industries, but due to the sensitive and personal nature of the information involved, healthcare organizations experience higher rates of customer churn. According to Ponemon Institute, customer churn increases by 6.7% in the wake of a healthcare breach, second only to financial breaches (7.3%) and over three times greater than the customer churn experienced by retail (2.2%).

Finally, the board members themselves may feel the effects of a security incident. In the wake of the massive breach of Target Corporation, an oversight committee recommended that the board members be replaced because, it was asserted, they did not take adequate measures to protect their customers’ information and 40 million people paid the price. This example demonstrates that the role of the board now extends beyond merely managing cyber risk: it is also being held liable for not taking appropriate steps to minimize those risks.

Data Breaches in the Real World

To put things in more practical terms, here are some real-world examples of how much healthcare data breaches can cost:

  • New York-Presbyterian Hospital and Columbia University suffered a data breach in September 2010 that affected 6,800 patients. The two organizations reached a settlement with the HHS Office of Civil Rights (OCR) in May 2014. The hospital and the university agreed to pay $4.8 million in fines after the investigation found that they did not have sufficient technical safeguards to protect the security of their patients, and this resulted in patient information being accessible on the internet.
  • In February 2012, St. Joseph Health System notified approximately 31,802 patients that, for the previous year, their health information had been publicly accessible from the internet. In March 2016, the organization agreed to pay $7.5 million as part of a class-action lawsuit, and this settlement does not include the $7.4 million the organization paid in attorney fees and costs.
  • Lastly, in March of this year, another hospital, Hollywood Presbyterian Medical Center, was locked out of their EHR system after criminals hacked into it and held the EHRs for ransom. This situation continued for a week, forcing employees to use pen-and-paper, until the hospital agreed to pay the ransom of $17,000.

As these examples show, patient data security must be a top priority for boards of directors, because not doing so can cost shareholders millions of dollars and, potentially, cost the directors themselves their jobs.

Compliance vs. Security: Taking Patient Privacy Seriously

Another aspect of patient data security that boards of directors must have a thorough understanding of is the difference between compliance and security. Although it can be easy to simply view these two as being one and the same, in reality, there are fundamental differences between them. In short, being compliant with all healthcare regulations is not the same thing as having sufficient EHR security.

Healthcare organizations that are only interested in compliance often take a “check-the-box” approach to patient data security, ensuring that they meet all regulations so that they will not be fined in the case of a data breach. This often leads to organizations spending precious resources on low-priority risks, while the most dangerous threats are unheeded and ignored.

However, the intent of compliance is security, so a board of directors that takes the necessary steps to secure patient information by ensuring that an effective risk assessment is conducted will meet all the requirements of healthcare regulations, and also ensure that patient information is properly protected from data breaches.

Patient Security: A Short-Term Cost, But Long-Term Gain

It is critical for the board of directors to make patient data security a top priority. They must see it as an investment, rather than a business cost. Although it can certainly entail large upfront costs, the long-term benefits of proper patient data security will ultimately help an organization save money by preventing or at least mitigating healthcare data breaches. In a world where data breaches can cost millions of dollars and the aftereffects can linger for years, it is important for the board of directors to understand the threats facing their organization so that they can know the best way to invest in patient data security. In the next part of this two-part series, we will examine that last point in more detail, namely, how a board of directors can move from understanding the threats their organization face to actively working to thwart them.

Download our Cost of a Breach white paper to learn all of the potential costs associated with a healthcare data breach.

Download the Report