More on Compliance & Legal

Data security and breach prevention


Your organization likely will experience a data breach of some kind. And when it does, people will want to know, what you were doing to prevent one, and how you are going to respond.

The latest Ponemon Institute study on patient privacy and data security, released in January, reports on the rise of data breaches in healthcare. Eighty healthcare organizations participated in the study with 324 interviews.

Key findings included:

  • 94 percent of healthcare organizations experienced at least one breach over the last two years.
  • 45 percent of healthcare organizations dealt with more than five breaches during the same period.
  • Leading causes of breaches included lost devices, employee mistakes, third-party mix-ups and criminal attacks.

According to the study, the average cost of a data breach to a healthcare organization hit $2.4 million, up from $2.2 million in 2011. Most of that goes to clean up: paying federal and state fines, setting up hotlines and covering the expense of potential victims' access to credit bureaus and the like.

Additionally, there's the damaging publicity surrounding breaches, especially those deemed avoidable.

Michael "Mac" McMillan is CEO of CynergisTek, a firm specializing in information security and regulatory compliance for healthcare. He teases out the numbers to lend a bit of clarity.

"Take that $2.4 million average cost of a breach," McMillan said. "Say the average hospital operating margin in 2012 was 2.5 percent. For every dollar you lose on bottom line, you have to make $40 on the top line to replace it. So in reality, your $2.4 million cost for a breach is potentially costing your organization $96 million."

Numbers like that drive at the heart of your business. Money intended for the purchase of a physician group or establishing that new ACO might suddenly be redirected to cleaning up a breach.

"Healthcare is not only the No. 1 target for cyber threats, it's also No. 1 in terms of incidents of fraud," McMillan said. "That's because we have so much valuable information. We have everything the finance sector has, and then some."

As organizations merge and acquire new properties, the threat only grows. Your hospital may have a robust network security system and staff that is trained and monitored. But, McMillan points out, what about that physician group that's recently come on line? Or the staff of that new ACO? In short, how strong is your organization's weakest link?


"We help to ensure organizations have policies and procedures in place to reduce the likelihood of an event," said Steve McGraw of SAI Global's GRC business, which includes Compliance 360. "Employers need to understand what it means to have a breach. We're working with people to give (data security) a higher priority, so they don't inadvertently leak information."

Steps included in SAI Global's security plan include:

  • encrypting patient health information;
  • limiting who has access to systems and devices that store PHI;
  • training people who have access to PHI;
  • contractually obligating all third parties to protect PHI; and
  • establishing policies should a breach occur.

Lost mobile devices and hackers present their own threats. Simple human error by well-meaning but poorly-trained hospital staff also pose a threat, said Sean R. Smith, an attorney with Taylor English in Atlanta. While representing both physicians and hospitals in lawsuits, he's found the process of acquiring patient records in an acceptable form a labor-intensive endeavor. Missteps by staff can open organizations to violations.

"We make sure we have both a release from the patient and a subpoena," Smith said. "Anything short of that is playing with fire."


McMillan said two shifts in perspective would help finance professionals gain the proper attitude on data security. First, consider a breach an unpleasant likelihood. Second, consider breach protection as a way to protect your bottom line.

"It's good old ROI analysis," McGraw said. "What's the cost of encrypting  -  $150 per laptop? Is it worth spending $150 to avoid spending $2.4 million?

"Enterprise-wide, it might cost you $250,000 to $500,000 to encrypt everything, but it's a one-time cost that's 20 percent of the average breach," he said. "Looking at it from classic CFO perspective, it just changes the discussion."