Topics
Reimbursement
Home health agencies get half a percent pay increase
Home health agencies get half a percent pay increase
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
Two CFOs see promise of AI, but have yet to build a dedicated budget
Two CFOs see promise of AI, but have yet to build a dedicated budget
Capital Finance
HIMSSCast: Is private equity the bad guy in healthcare?
HIMSSCast: Is private equity the bad guy in healthcare?
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Hospital margins climb to 5.1% in September
Hospital margins climb to 5.1% in September
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
US healthcare system ranks last in equity, access
US healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Johns Hopkins Health Plans announces multi-payer portal
Johns Hopkins Health Plans announces multi-payer portal
Workforce
Elevance laying off 123 California employees
Elevance laying off 123 California employees
Operations
$47.5 million grant allows Rutgers to turn lab discoveries into practical healthcare
Rutgers to promote 'translational' science with $47.5M grant
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
Cleveland Clinic partnering with Cavaliers on new training center
Cleveland Clinic partnering with Cavs on new sports complex
Compliance & Legal
Elevance latest insurer to sue over Medicare Advantage star ratings
Elevance latest insurer to sue over Medicare Advantage star ratings
Policy and Legislation
HHS investing $75 million in rural healthcare infrastructure
HHS investing $75 million in rural healthcare infrastructure
Community Benefit
Nonprofit hospitals' charity care falling behind tax breaks, report shows
Report: Hospitals' charity care falling behind tax breaks
Accountable Care
ACO REACH changes more negative than positive, says participant
ACO REACH changes not positive, says participant
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Cleveland Clinic and Amazon One Medical collaborate on primary care clinics
Cleveland Clinic and Amazon One Medical collaborate
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
Aetna underperforms, plans recovery as CVS Health logs $95.4B in revenue
CVS Health logs $95.4B in revenue as Aetna struggles
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Elevance Health 'considering options' following star ratings hit
Elevance Health 'considering options' following star ratings hit
Patient Engagement
Patients see narrow networks in ACA marketplace plans, KFF finds
KFF: Patients see narrow networks in ACA marketplace plans
Pharmacy
HIMSSCast: Prior authorization as gatekeeper
HIMSSCast: Prior authorization as gatekeeper
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Teladoc posts $640.5 million in revenue, stresses virtual care improvement
Teladoc posts $640.5 million in revenue
Mergers & Acquisitions
Steward Medical sold to Rural Healthcare Group 
Steward Medical sold to Rural Healthcare Group 
View more
Mar 11, 2013 More on Compliance & Legal

Data security and breach prevention

Greg Reid

 

Your organization likely will experience a data breach of some kind. And when it does, people will want to know, what you were doing to prevent one, and how you are going to respond.

The latest Ponemon Institute study on patient privacy and data security, released in January, reports on the rise of data breaches in healthcare. Eighty healthcare organizations participated in the study with 324 interviews.

Key findings included:

  • 94 percent of healthcare organizations experienced at least one breach over the last two years.
  • 45 percent of healthcare organizations dealt with more than five breaches during the same period.
  • Leading causes of breaches included lost devices, employee mistakes, third-party mix-ups and criminal attacks.

According to the study, the average cost of a data breach to a healthcare organization hit $2.4 million, up from $2.2 million in 2011. Most of that goes to clean up: paying federal and state fines, setting up hotlines and covering the expense of potential victims' access to credit bureaus and the like.

Additionally, there's the damaging publicity surrounding breaches, especially those deemed avoidable.

Michael "Mac" McMillan is CEO of CynergisTek, a firm specializing in information security and regulatory compliance for healthcare. He teases out the numbers to lend a bit of clarity.

"Take that $2.4 million average cost of a breach," McMillan said. "Say the average hospital operating margin in 2012 was 2.5 percent. For every dollar you lose on bottom line, you have to make $40 on the top line to replace it. So in reality, your $2.4 million cost for a breach is potentially costing your organization $96 million."

Numbers like that drive at the heart of your business. Money intended for the purchase of a physician group or establishing that new ACO might suddenly be redirected to cleaning up a breach.

"Healthcare is not only the No. 1 target for cyber threats, it's also No. 1 in terms of incidents of fraud," McMillan said. "That's because we have so much valuable information. We have everything the finance sector has, and then some."

As organizations merge and acquire new properties, the threat only grows. Your hospital may have a robust network security system and staff that is trained and monitored. But, McMillan points out, what about that physician group that's recently come on line? Or the staff of that new ACO? In short, how strong is your organization's weakest link?

STEPS TO TAKE

"We help to ensure organizations have policies and procedures in place to reduce the likelihood of an event," said Steve McGraw of SAI Global's GRC business, which includes Compliance 360. "Employers need to understand what it means to have a breach. We're working with people to give (data security) a higher priority, so they don't inadvertently leak information."

Steps included in SAI Global's security plan include:

  • encrypting patient health information;
  • limiting who has access to systems and devices that store PHI;
  • training people who have access to PHI;
  • contractually obligating all third parties to protect PHI; and
  • establishing policies should a breach occur.

Lost mobile devices and hackers present their own threats. Simple human error by well-meaning but poorly-trained hospital staff also pose a threat, said Sean R. Smith, an attorney with Taylor English in Atlanta. While representing both physicians and hospitals in lawsuits, he's found the process of acquiring patient records in an acceptable form a labor-intensive endeavor. Missteps by staff can open organizations to violations.

"We make sure we have both a release from the patient and a subpoena," Smith said. "Anything short of that is playing with fire."

PROPER FRAME OF MIND

McMillan said two shifts in perspective would help finance professionals gain the proper attitude on data security. First, consider a breach an unpleasant likelihood. Second, consider breach protection as a way to protect your bottom line.

"It's good old ROI analysis," McGraw said. "What's the cost of encrypting  -  $150 per laptop? Is it worth spending $150 to avoid spending $2.4 million?

"Enterprise-wide, it might cost you $250,000 to $500,000 to encrypt everything, but it's a one-time cost that's 20 percent of the average breach," he said. "Looking at it from classic CFO perspective, it just changes the discussion."

News
Healthcare organizations ask HHS to delay quality measure reporting for ACOs Healthcare organizations ask HHS to delay quality measure reporting for ACOs The American Hospital Association and American Medical Association are among the 11 organizations signing the letter.