A new report outlines the financial costs of breaches of protected health data--and offers a five-step method for healthcare providers of any size to assess their risk.
In the last two years, the protected health information (PHI) of 18 million Americans was breached electronically, according to "The Financial Impact of Breached Protected Health Information—A Business Case for Enhanced PHI Security," a collaborative research effort by more than 70 healthcare providers, payers, legal firms, security products, services firms, and other organizations. During that time, about 66% of healthcare data breaches have involved lost or stolen devices, such as mobile devices and laptop computers. Still, the biggest threats,"are not hackers….but professional, well financed and often state supported" cybercriminals, said Larry Clinton, president of Internet Security Alliance, a cybersecurity trade association that participated in the research project.
The overwhelming theme of the report's findings was that the healthcare system is founded on patients' trust that their medical information is private and secure. Unfortunately, although electronic health records are a "game changer" for improving access to patient information for better-coordinated, quality care, they also expose millions of patient records to cybercriminals, said Joe Bhatia, president and CEO of the American National Standard Institute (ANSI), another research participant, during a teleconference discussing the report.
[ Apathy, not security concerns, stop people from taking advantage of EHRs, says Paul Cerrato. See Why Personal Health Records Have Flopped. ]
"Now [trust] will be severely tested as more healthcare providers adopt e-health records," making PHI increasingly vulnerable to loss, theft, disclosure, he said. Breaches of healthcare data are not only expensive to affected healthcare providers financially due to potential regulatory fines, lawsuits and settlements, but also have great repercussions clinically, operationally and on organizations' reputations.
For patients, the breaches also are potentially damaging for a number of reasons, ranging from possibly destroying individuals' trust in their providers; unauthorized access and distribution of highly personal information; safety risks in care if health data is altered; to identity theft.
The research aims to provide healthcare business leaders with a clearer understanding of what's at risk when healthcare data is breached, and also provide tools to help health IT leaders--CIOs, chief security officers, and compliance teams--to assess their organizations' potential risks and the impact of health data privacy and security violations.
To help healthcare leaders better assess their risks, the researchers created a five-step methodology that includes an estimator tool. The free tool, included with the report, predicts overall potential data breach costs, and appropriate level of investment needed to improve privacy and security vulnerabilities to reduce the chance of a breach incident.
Protecting health data isn't a technology issue, but also involves people, policies, and procedures, said Lynda Martel, director of privacy compliance communication at DriveSavers Data Recovery, a security services firm.
The five steps are: conduct a risk assessment; determine a security readiness score; assess the relevance of a cost; determine a breach's impact; and calculate the total cost of a breach.
The methodology can be used by healthcare providers of any size, including large hospitals to small physician practices, said the researchers. The healthcare providers would take into consideration the number of patient records, where the records are stored, how they're shared, who has access to data, and other factors.
"When it comes to cybersecurity, we all have a role," said White House cybersecurity coordinator Howard Schmidt during the teleconference discussing the report.
Among those that have a responsibility to protect health data include clinicians at the point care; payers; clinical support organizations like labs and pharmacies; business associates including pharmacy benefit managers and other administrators; IT services firms such as software services, cloud computing and outsourcing firms; and other players, including law firms and consulting firms.
The cost "on the street" of a stolen medical record is $50, versus about $1 for a stolen social security records, said Catherine Allen, CEO of the Santa Fe Group, a consulting firm that contributed to the report. "This is very valuable data," she said. And while HIPAA fines from the federal government can range up to $1 million annually for an organization that has a breach, lawsuit settlements involving patients affected by those violations "are in the $20 million range," said Jim Pyles, an attorney and principal of law firm Power Pyles Sutter & Versville, during the teleconference.
Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)