Topics
Reimbursement
J&J backs down from its planned 340B rebate model
J&J backs down from its planned 340B rebate model
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
Four health systems form Longitude Health 
Four health systems form Longitude Health 
Capital Finance
HIMSSCast: Is private equity the bad guy in healthcare?
HIMSSCast: Is private equity the bad guy in healthcare?
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Elevance stock slides on lower forecast
Elevance stock slides on lower forecast
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
U.S. healthcare system ranks last in equity, access
U.S. healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Johns Hopkins Health Plans announces multi-payer portal
Johns Hopkins Health Plans announces multi-payer portal
Workforce
Feds grant $100 million to grow healthcare workforce
Feds grant $100M to grow healthcare workforce
Operations
UMC Health System hit with IT outage linked to ransomware
UMC Health System hit with IT outage linked to ransomware
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
Cleveland Clinic partnering with Cavaliers on new training center
Cleveland Clinic partnering with Cavs on new sports complex
Compliance & Legal
BCBS reaches $2.8 billion settlement agreement
BCBS reaches $2.8 billion settlement agreement
Policy and Legislation
HHS investing $75 million in rural healthcare infrastructure
HHS investing $75 million in rural healthcare infrastructure
Community Benefit
Nonprofit hospitals' charity care falling behind tax breaks, report shows
Report: Hospitals' charity care falling behind tax breaks
Accountable Care
ACO REACH changes more negative than positive, says participant
ACO REACH changes not positive, says participant
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Walmart announces closing of clinics and virtual care
Walmart is closing clinics and virtual care
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
CVS Health mulls potential breakup in midst of strategic review
CVS Health mulls potential breakup
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Medicaid to cover traditional Tribal community healthcare 
Medicaid to cover traditional Tribal community healthcare 
Patient Engagement
Patients see narrow networks in ACA marketplace plans, KFF finds
KFF: Patients see narrow networks in ACA marketplace plans
Pharmacy
Blue Shield of California challenges PBM model to lower cost of Humira biosimilar
Insurer challenges PBM model to lower cost of Humira biosimilar
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Patients less likely to seek virtual behavioral care when paying out-of-pocket
Patients who pay cost-sharing less likely to seek virtual care
Mergers & Acquisitions
In M&A deals, seller size by revenue is significantly above historical norms
In M&A deals, seller size by revenue is above historical norms
View more
Mar 04, 2020 More on Supply Chain

Healthcare vendor data breaches prove costly, necessitating automation and process changes to curb costs

Only 36% of vendors said they would immediately notify providers if they had a breach that involved PHI or other sensitive information.

Jeff Lagasse, Editor

More than half of all healthcare vendors have experienced a data breach that has exposed protected health information. Because of this, vendors know it can be costly. The average breach costs nearly $3 million and exposes roughly 10,000 records, new research from the Ponemon Institute shows.

When breaches that expose PHI do occur, only about one-third of vendors say that they would immediately notify healthcare providers -- a low number that points to a broken system of managing third-party risk in the healthcare industry.

Of the 54% of respondents who had at least one data breach involving PHI over the past two years, 41% had six or more breaches during this time. They cite the human factor as their biggest vulnerability when it comes to data breaches, suggesting that automation technology and process changes will be key in stemming the tide.

Yet while more than half of those surveyed said a data breach could result in a loss of business, only 36% of vendors said their organization would immediately notify their healthcare providers if they had a breach that involved PHI or other sensitive information. In total, 43% of vendors have access to PHI.

According to Ed Gaudet, CEO of Censinet, which sponsored the Ponemon survey, vendors are having significant challenges with the overall process -- everything from the cost of data breaches to the exposure in terms of the record count.

Part of the issue is that providers are going through a major transformation when it comes to running their businesses. More medical devices can be connected to the cloud and the internet than ever before, and this means having software and other components that need to be continually assessed.

"Healthcare providers are also adopting new technologies faster than ever before," said Gaudet. "Ten years ago this wasn't a problem. Today, though, providers are looking at the application of AI and machine learning. Digital health is going through a renaissance."

Unfortunately, organizations are still using certification processes that take several months to complete, and often presuming they'll be good for the next year. But the technology dynamic has changed considerably.

According to the findings, 59% of respondents say risk assessments become out-of-date within three months or less. But only 39% say their organization is required to update their risk assessment every six months (18%) or at least once a year (21%).

That's an issue, because at the halfway point of 2019 the healthcare industry experienced more data breaches than in all the previous years combined. And the trend is going up: Despite all of the investments being made in security technologies, the number of breaches -- and the costs -- are still climbing.

"There's an issue where organizations think the breach is too small to report, or it's not material," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "They may not think there's a privacy risk."

A significant impact of all this on providers and patients specifically is that one large data breach can be catastrophic due to the sensitive nature of the information. There's a direct cost involved, but also a number of indirect costs owing to the practice being so broken. It adds up to a pretty significant drain overall.

TAKING ACTION

Another important data point in the survey is that two in five vendors say providers don't require them to take action when there are privacy and security gaps. Gaudent said that boils down to the level of responsibility and accountability that both sides take.

When it comes to risk assessments, providers don't have the resources to cover all the vendors in the space. Instead they stratify them into three buckets based on what they perceive as the highest risk. But a breach will still likely find its way in, usually at the weakest link.

One of the issues the industry faces is that assessments are still largely done through manual processes involving spreadsheets and email. It's a time-consuming and costly process.

"Providers want to protect their business, so these analysts go back and forth until they feel confident they have that transparency," said Gaudet. "Some providers enable their analysts to work with the vendors directly to remediate those risks. And most providers frankly understand this is a hard thing to do."

That's largely because of all the people involved in the process. There are those who are involved directly, but there's also a tenfold indirect cost of processing risk assessment because they start at the procurement process -- supply chain, legal, finance, etc. -- until a contract is signed with a vendor. That doesn't end once the contract is signed; there's typically a process to reassess the vendor after a certain amount of time. The problem is that many vendors don't get reassessed at all.

Nearly 60% of vendors believe that their risk assessments are out of date within three months of filling them out, but fewer than 20% say providers make them fill out assessments more than once per year, the data showed.

Supply chain systems can change from month to month or week to week, while some of these assessments can take up to six months or more; as soon as the assessment is made public, it's out-of-date. Fifteen years ago, on-premises software changed perhaps twice per year. Now, software is getting patched and updated almost daily.

"How do you keep up with that if you're using manual steps and processes or approaches with a time base of a year? It just doesn't make sense," said Gaudet. "We're human beings -- we manage risk every day. We manage risk when we cross the street. We're constantly dealing with risk, yet we think it's OK that healthcare looks at risk on an annual basis."

The best way to take action, he said, is to automate as much of the process as possible, then collaborate with the vendor to truly understand the risk not at an organizational level but down to the micro-level of the product or service being implemented.

"Collaboration and proof enables the provider to do an analysis and assess if they have the right policy, the right procedure in place and the right controls," said Gaudet. "A good vendor is one that understands and has made a cultural change, rather than just checking a box in the survey.

"The amount of time in the process trips the vendor up," he said. "We think that time is important, but you've got to really automate the workflow, streamline it in a way that changes how people look at risk and how continually they're looking at risk across the supply chain."

Ultimately, the healthcare industry needs to enable vendors to have the right tools and processes in place to engage in the right behaviors. That can provide the level of transparency and confidence they need to protect their businesses, and it also mitigates the risk of losing patient data -- and patient safety.

"If you think about losing patient data, it's costly and embarrassing," said Gaudent, "but if a medical device that a loved one is connected to goes down, now it becomes a patient safety issue. It's personal."
 

Twitter: @JELagasse

Email the writer: jeff.lagasse@himssmedia.com

News
Healthcare organizations ask HHS to delay quality measure reporting for ACOs Healthcare organizations ask HHS to delay quality measure reporting for ACOs The American Hospital Association and American Medical Association are among the 11 organizations signing the letter.