A hospital data breach not only risks the sensitive information of patients, but it also can spell disaster for a healthcare provider's finances.
"A small attack with two staff thrown at it might mean only $5,000 in IT time fixing things. But if 20 people are needed to clean up it's more like $100,000," said Craig Musgrave, CIO of The Doctors Company. "bringing in outside experts for remediation and research, those companies cost $25-$50,000 or more." Musgrave said.
That doesn't even factor in the dollar amount tied to lost productivity and the potential for hefty HIPAA fines.
"Once it spreads the amount of damage done grows exponentially. You need to be able to discover it and shut it down," Musgrave said.
Chris Ewell, chief information security officer at University of Washington Medicine, said it all starts with early detection. He would know. University of Washington Medicine is in the middle of a corrective action plan after a breach three years ago got them slapped with $750,000 HIPAA fine.
He said controls that keep hackers from getting in are great, but since breaches are going to happen anyway, you need a means to monitor your assets so that once they get in you can "stop the bleeding."
Having an instant response process plan in place so that you can limit the damage is crucial.
"You need to be stellar at that or have someone who can come in at a moment's notice and help you," Ewell said.
To do that, systems need to practice the breach plan by running training drills.
However, it is in the investigation where a lot of the costs lie, and if the forensics are done poorly, it can cost even more, especially if you don't properly determine the size and scope of the breach.
"Everything is a breach until you can prove the low probability of compromise. Now you're obligated to notify, when if you had forensics you may not have had to notify. It's a well-spent cost."
Another little-known misstep at the beginning of breach incidents is failing to stop non-experts from touching systems and trying to get things back to operational. Often, these individuals end up trampling data that would have been important to the investigation.
According to Musgrave, there are three phases in breach management -- discovery, remediation and clean-up -- and there are costs at every step. For large providers or a large breach, Ewell said it may become necessary to hire a service to find and verify addresses for potentially affected patients both past and present. People may have moved or even died so a provider needs the verification service so they can determine where to send the notification letter. That's another component. Writing a letter to patients letting them know about the breach is required, and it must be legally approved, another expense. And chances are most providers caught off guard by a cyberattack are already shelling out cash to a lawyer who helped them officially determine there was a breach.
Devin O'Brien, senior counsel for The Doctors Company said one of the lawyers they work with charges $600 an hour. "Just getting their feet wet on a situation mounts up quickly. Everything is happening at the same time."
Also adding to the overwhelming complications of managing a cyberattack is managing the fall-out once a provider has alerted those who were potentially affected. If the breach is small, and there aren't many affected, it is possible that staff can handle the calls that will come in. Ewell said usually about 20 to 30 percent of those affected will call in.
However, if the incident is large that will mean lots of calls, and a provider may be forced to set up a call center. The system will have to write scripts for answers to questions that are going to be asked, and it must be decided whether things like credit monitoring, which can cost $5 to $15 per person, will be offered. For most providers, these are services they don't consider or plan for, and that makes them pricey when the time comes.
There may also be expenses surrounding communication with the public, since when the breach affects more than 500 the media must be notified, Ewell said. PR services also carry hefty price tags, especially in an emergency.
"Hopefully you have those negotiations already in place because it's very expensive if you do it as an emergency versus having a contract with someone," Ewell said.
Beyond the attack
Boston Children's Hospital came under attack from hackers collective Anonymous back in 2014 following their treatment of a young girl who had been removed from her parent's care by the state. The worst-case scenario, "going dark," never happened. But the incident is still a cautionary tale for their CIO Daniel Nigrin because of what they did lose. Nigrin said they still had to shut down external websites for a time as hackers tried to wreak havoc, and it happened at a time of year when they were staging an annual walkathon. One of the websites shut down was one that sourced donations, and though he couldn't give an exact figure, the loss was significant enough that they made a claim against their cyberinsurance for the event, Nigrin said.
"This was not a tens of thousands of dollars thing, it was significantly more than that."
Nigrin said most cyberinsurance coverage protects against loss of data and its side effects like penalties. What they didn't appreciate was the way the insurance was written, which said if no breach actually occurred a claim made against the policy wouldn't necessarily go through. Basically, because they had the right defenses and protocols in place and were actually able to protect patient data, they had to fight with their insurer to get the claim paid, even though the attack and the losses were real.
"It's fine print that I urge people to look at within their cyberinsurance policies," Nigrin said.
Fines are the last blow to a system already worn-down following a breach. It usually takes three years after the incident when HIPAA fines hit, and the dollar amounts are swelling O'Brien said.The Office of Civil Rights has almost quintupled the number of actions taken on cyberbreaches from 2004 to 2009.
Figuring out a HIPAA fine is formulaic. There are degrees of culpability, and the more culpable OCR thinks a provider is for their breach, the more severe the fine can be. The difference between the least culpable level of awareness, where the system "did not know and by exercising reasonable diligence would not have known," and the most culpable where the breach is due to "willful neglect," can mean the difference between a minimum fine of $100 per violation and $50,000 per violation, O'Brien said.
"You can't put your head in the sand on this one. If you've really taken reasonable steps to protect your system, trained your staff to have physical security in place and something still happens, my feeling is you'll get a fine but you'll see a fine that is a third of what you would have seen otherwise," O'Brien said.
The HIPAA fine is only the start, said Ewell. The OCR, once they step in, will likely require a complete overhaul of the system and the hiring of an independent monitor for three years, as well as other fixes. You only have between 60 and 90 days to address the issues, and until a system is through fulfilling a corrective action plan, they'll probably be out $10 million.
What's more, Ewell said, there is a loss of sovereignty over your own operations, and a system's budget can be slammed by the action-plan requirements.
Some basics that may keep you out of the OCR's crosshairs include doing an enterprise-wide risk assessment, not just a vulnerability analysis; knowing where all your data is right down to a single entity and being able to produce a list at any time; documenting staff training; implementing policies and procedures, and ensuring staff know and understand them. You also want to keep track of how your vendors are using and engaging with your network.
Musgrave suggested being diligent with software upgrades, boosting infrastructure, encrypting databases and passwords with administrators, and subscribing to cloud solutions as ways to enhance your cybersecurity program and make it harder for hackers to get in.
"This is the cost of doing business. You need to protect that data because a breach is worth so much money to the bottom line of a system."
Ewell said C-suite executives need to be constantly evaluating the risk.
"You would never think about not reviewing your financial statements every week or every month. Do you do the same thing with your information security risk? It's as important as your financial statement but no one thinks about it."