Healthcare Industry Loses $7 Billion Due to HIPAA Data Breaches

A recent study released in December 2012 by the Ponemon Institute, the Third Annual Benchmark Study on Patient Privacy & Data Security, reveals an inside look at the growing data breaches in the healthcare industry. Recurring data breaches are increasing among respondents, with 45 percent reporting more than five incidents in the last two years (an increase from 29 percent in 2010). Ninety-four percent of all respondents had at least one data breach in the past two years. The figure of a $7 billion loss to the healthcare industry overall was calculated by the Ponemon Institute by multiplying $1,195,135 x 5,754 (average economic impact for a healthcare organization over a one-year period x the total number of registered US hospitals per the AHA).

Why do data breaches happen more than once to the same organization? Shouldn’t they learn their lesson? Not necessarily – many healthcare organizations may have experienced multiple breaches due to improper remediation tactics.

As I wrote about in an article, In the Wake of a Healthcare Data Breach, the Utah Department of Health put in a thorough plan of action after they experienced a server hack affecting 780,000 individuals. Their plan included replacing the state’s chief technology officer, hiring an auditor to conduct security audits across all state agencies, encrypting both data in transit and stored data, hiring a PR firm to handle crisis communications, improving security controls with network monitoring and intrusion detection, as well as creating a new position for a privacy and security officer. Enacting both technical and administrative security creates a stronger defense against future attacks.

Not all small or medium-sized businesses have the resources of a state government to put in such a thorough plan. However, they can learn from the lesson of many a data breach caused by the loss of a portable device (read: laptop). By keeping electronic protected health information (ePHI) off of devices and stored safely on a secure server in a secure data center environment, even small companies can benefit from preventative actions. It’s simple: if you lose the device, you don’t lose the data, nor do you allow unauthorized users access to the data.

One way to ensure data is protected is to use the services of a HIPAA compliant hosting provider. If audited against the OCR HIPAA Audit Protocol, your HIPAA hosting provider should understand the physical, technical and administrative controls needed to stay secure and compliant, as the healthcare industry requires. Both your hosting solution and data center in which your data lives should be HIPAA audited. Find out more about HIPAA compliant data centers.

The Ponemon study also found that the average economic impact of a data breach has increased by $400,000 to a total of $2.4 million since 2010. Economic impact includes anything from investigation, legal, federal penalty costs to loss of business due to downtime or decreased credibility. It can also include remediation or free credit monitoring typically offered to affected individuals, and any other costs related to potential fraud/identity theft. Since data breaches can result in a serious loss of revenue, putting your data at risk with a third-party that isn’t audited to the OCR standards or isn’t aware of their security responsibilities can be a gamble.

HIPAA Data Breach Economic Impact; Source: Ponemon Institute

Another key finding was related to mobile devices; specifically, BYOD (Bring Your Own Device) that allows personal smartphone or tablet use by employees and medical staff. While 81 percent of healthcare organizations allowed BYOD in the workplace, only 9 percent were very confident in their BYOD security. The following measures are taken, with 46 percent responding that none of the listed security precautions were taken at their organization: