Topics
Reimbursement
Elevance, UnitedHealth among insurers accused of alleged price fixing
Elevance, UnitedHealth among insurers accused of alleged price fixing
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
CommonSpirit, University of Utah Health team on access
CommonSpirit, University of Utah Health team on access
Capital Finance
Cigna nixes speculation of a Humana merger
Cigna nixes speculation of a Humana merger
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Labor expenses continue to challenge hospitals
Labor expenses continue to challenge hospitals
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
US healthcare system ranks last in equity, access
US healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Denials top reason for eroding provider-payer relationship
Denials top reason for eroding provider-payer relationship
Workforce
Elevance laying off 123 California employees
Elevance laying off 123 California employees
Operations
UAB, Press Ganey launch certificate program for healthcare leaders
UAB, Press Ganey launch certificate program for healthcare leaders
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
University Hospitals expanding with $3.2 million donation
University Hospitals expanding with $3.2M donation
Compliance & Legal
Johnson and Johnson sues HRSA for blocking 340B plan
J&J sues HRSA for blocking 340B plan
Policy and Legislation
Planned Parenthood, other groups decry executive power in House bill
Planned Parenthood, other groups decry House bill
Community Benefit
AMA pushes for stricter standards for hospital charity care policies
AMA pushes for stricter standards for hospital charity care policies
Accountable Care
NAACOS pushes ACO REACH extension after $1.54B in savings
NAACOS pushes ACO REACH extension
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Cleveland Clinic and Amazon One Medical collaborate on primary care clinics
Cleveland Clinic and Amazon One Medical collaborate
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
CVS announces Dr. Sreekanth Chaguturu as president, Health Care Delivery
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Almost a quarter of Americans underinsured, survey finds
Survey: Almost a quarter of Americans underinsured
Patient Engagement
HHS, Illinois reach agreement on disability rights laws
HHS, Illinois reach agreement on disability rights
Pharmacy
Express Scripts, Caremark, OptumRx fight back in lawsuit against FTC 
Express Scripts, Caremark, OptumRx sue FTC 
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Telehealth prescribing of controlled drugs extended through 2025
Telehealth prescribing of controlled drugs extended
Mergers & Acquisitions
Cardinal Health set to acquire two companies for combined $3.9B
Cardinal Health set to acquire two companies for combined $3.9B
View more
Mar 11, 2013 More on Compliance & Legal

Data security and breach prevention

Greg Reid

 

Your organization likely will experience a data breach of some kind. And when it does, people will want to know, what you were doing to prevent one, and how you are going to respond.

The latest Ponemon Institute study on patient privacy and data security, released in January, reports on the rise of data breaches in healthcare. Eighty healthcare organizations participated in the study with 324 interviews.

Key findings included:

  • 94 percent of healthcare organizations experienced at least one breach over the last two years.
  • 45 percent of healthcare organizations dealt with more than five breaches during the same period.
  • Leading causes of breaches included lost devices, employee mistakes, third-party mix-ups and criminal attacks.

According to the study, the average cost of a data breach to a healthcare organization hit $2.4 million, up from $2.2 million in 2011. Most of that goes to clean up: paying federal and state fines, setting up hotlines and covering the expense of potential victims' access to credit bureaus and the like.

Additionally, there's the damaging publicity surrounding breaches, especially those deemed avoidable.

Michael "Mac" McMillan is CEO of CynergisTek, a firm specializing in information security and regulatory compliance for healthcare. He teases out the numbers to lend a bit of clarity.

"Take that $2.4 million average cost of a breach," McMillan said. "Say the average hospital operating margin in 2012 was 2.5 percent. For every dollar you lose on bottom line, you have to make $40 on the top line to replace it. So in reality, your $2.4 million cost for a breach is potentially costing your organization $96 million."

Numbers like that drive at the heart of your business. Money intended for the purchase of a physician group or establishing that new ACO might suddenly be redirected to cleaning up a breach.

"Healthcare is not only the No. 1 target for cyber threats, it's also No. 1 in terms of incidents of fraud," McMillan said. "That's because we have so much valuable information. We have everything the finance sector has, and then some."

As organizations merge and acquire new properties, the threat only grows. Your hospital may have a robust network security system and staff that is trained and monitored. But, McMillan points out, what about that physician group that's recently come on line? Or the staff of that new ACO? In short, how strong is your organization's weakest link?

STEPS TO TAKE

"We help to ensure organizations have policies and procedures in place to reduce the likelihood of an event," said Steve McGraw of SAI Global's GRC business, which includes Compliance 360. "Employers need to understand what it means to have a breach. We're working with people to give (data security) a higher priority, so they don't inadvertently leak information."

Steps included in SAI Global's security plan include:

  • encrypting patient health information;
  • limiting who has access to systems and devices that store PHI;
  • training people who have access to PHI;
  • contractually obligating all third parties to protect PHI; and
  • establishing policies should a breach occur.

Lost mobile devices and hackers present their own threats. Simple human error by well-meaning but poorly-trained hospital staff also pose a threat, said Sean R. Smith, an attorney with Taylor English in Atlanta. While representing both physicians and hospitals in lawsuits, he's found the process of acquiring patient records in an acceptable form a labor-intensive endeavor. Missteps by staff can open organizations to violations.

"We make sure we have both a release from the patient and a subpoena," Smith said. "Anything short of that is playing with fire."

PROPER FRAME OF MIND

McMillan said two shifts in perspective would help finance professionals gain the proper attitude on data security. First, consider a breach an unpleasant likelihood. Second, consider breach protection as a way to protect your bottom line.

"It's good old ROI analysis," McGraw said. "What's the cost of encrypting  -  $150 per laptop? Is it worth spending $150 to avoid spending $2.4 million?

"Enterprise-wide, it might cost you $250,000 to $500,000 to encrypt everything, but it's a one-time cost that's 20 percent of the average breach," he said. "Looking at it from classic CFO perspective, it just changes the discussion."

News
Healthcare organizations ask HHS to delay quality measure reporting for ACOs Healthcare organizations ask HHS to delay quality measure reporting for ACOs The American Hospital Association and American Medical Association are among the 11 organizations signing the letter.