Data security and breach prevention


Your organization likely will experience a data breach of some kind. And when it does, people will want to know, what you were doing to prevent one, and how you are going to respond.

The latest Ponemon Institute study on patient privacy and data security, released in January, reports on the rise of data breaches in healthcare. Eighty healthcare organizations participated in the study with 324 interviews.

Key findings included:

  • 94 percent of healthcare organizations experienced at least one breach over the last two years.
  • 45 percent of healthcare organizations dealt with more than five breaches during the same period.
  • Leading causes of breaches included lost devices, employee mistakes, third-party mix-ups and criminal attacks.

According to the study, the average cost of a data breach to a healthcare organization hit $2.4 million, up from $2.2 million in 2011. Most of that goes to clean up: paying federal and state fines, setting up hotlines and covering the expense of potential victims' access to credit bureaus and the like.

Additionally, there's the damaging publicity surrounding breaches, especially those deemed avoidable.

Michael "Mac" McMillan is CEO of CynergisTek, a firm specializing in information security and regulatory compliance for healthcare. He teases out the numbers to lend a bit of clarity.

"Take that $2.4 million average cost of a breach," McMillan said. "Say the average hospital operating margin in 2012 was 2.5 percent. For every dollar you lose on bottom line, you have to make $40 on the top line to replace it. So in reality, your $2.4 million cost for a breach is potentially costing your organization $96 million."

Numbers like that drive at the heart of your business. Money intended for the purchase of a physician group or establishing that new ACO might suddenly be redirected to cleaning up a breach.

"Healthcare is not only the No. 1 target for cyber threats, it's also No. 1 in terms of incidents of fraud," McMillan said. "That's because we have so much valuable information. We have everything the finance sector has, and then some."

As organizations merge and acquire new properties, the threat only grows. Your hospital may have a robust network security system and staff that is trained and monitored. But, McMillan points out, what about that physician group that's recently come on line? Or the staff of that new ACO? In short, how strong is your organization's weakest link?