In honor of Cybersecurity Month, let’s take a look at one of the scariest cybersecurity risks out there: a healthcare breach. This decade has been rough for healthcare IT. For eight years in a row, healthcare industry breaches have been the most expensive, but now they’re also the most common.
These sobering findings came out recently from the 2017 Ponemon Institute study on the cost of data breaches. They found that 60% of reported breaches hit healthcare. Worse still, healthcare breaches cost $408 per compromised record.
Naturally the other breached industries in the study were also devastated, having to cough up an average of $148 per capita. Speaking of, here’s a really cool calculator that will give you an idea of what a breach could cost across various industries.
But why do healthcare breaches cost 176% more, and why are they so common?
Why healthcare breaches are the most expensive
The insurance company Anthem is an excellent bad example of the cost breakdown of a healthcare breach. An employee innocently opened the front door (via a phishing email) to a hacker in 2015. Though the employee was at a subsidiary company, the hacker got remote access to their computer and got into Anthem's massive database. They stole the health information of 779 million people.
The cost? Let’s start with the record-breaking $16 million HIPAA settlement Anthem just agreed to pay. Ouch. As if $16 million wasn’t enough, Anthem ended up paying $260 million for security upgrades and remedial actions. Of course they’re the second largest insurer in the country, so they absorbed the cost quite gracefully.
But the threat of a data breach should scare normal-sized healthcare organizations that can’t drop hundreds of millions of dollars in recovery. Here are the predictable expenses from a healthcare breach:
- HIPAA non-compliance fees/settlement
- Cost of legal defense
- Cost of responding to the initial attack
- Cost of notifying compromised customers
- Cost of tracking identity theft
- Cost to return to normal operations
- Cost to upgrade security systems
- Cost to train employees not to open the front door
- Cost of reputation loss
And healthcare organizations of all sizes are targets because of the generally large and sensitive nature of the data they store.
Steps you can take to protect your organization
There are two key elements to protecting your organization from a breach:
1. A thorough risk assessment
It’s absolutely vital to assess your organization’s risks and make sure you’re in compliance with HIPAA’s very specific administrative, technical, and physical requirements. The first is to work through the Security Risk Assessment Tool created by the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights.
You can save yourself a lot of headaches and uncertainty by partnering with a trustworthy IT service provider that specializes in HIPAA-compliant security. Varay can not only perform a careful risk assessment, but we can also provide top security tools and trainings to safeguard your organization. Schedule a risk assessment here.
2. Employee security awareness training
No matter how many security measures you have (you better believe Anthem had a monster security system), you have to account for human error. A single phishing email and an unwitting employee cost Anthem almost $300 million. Another phishing scam sent to a single employee conned the city of El Paso out of millions.
One of the most important layers of your organizational security is your employee base. It’s essential to have regular employee trainings on safe email and internet practices. We recently launched a Security Awareness Training element in our V-Secure™ suite that can send realistic (safe) spear phishing emails to employees.
When an employee falls for the bait, they receive respectful, effective training to help them spot real phishing emails in the future. The program sends different fake phishing emails over time to test their progress, and you receive reports about how safe your employee email practices are and any areas of concern.
Learn about our risk assessment & Security Awareness Training
Let Varay secure you and your employees against data breaches. We set ourselves apart as leaders in healthcare IT and HIPAA-compliant security strategies. Let’s schedule a risk assessment or a take the first steps toward making your employees scam-proof.
Contact us today for a quote on a HIPAA risk assessment or Security Awareness Training.