So, You Think your Medical Practice is Encrypted (Part 2)

A single instance of a data breach is enough to damage an organization’s standing in the community and send the unintended message that it can’t be trusted. A data breach
that brings an IT system to a halt will have a direct effect on patient care and potentially lead to legal ramifications.

“Taking a reaction-based approach to security not only leaves you continually vulnerable to attacks, but you will
constantly be devoting time and money to solving problems a proactive approach would help you avoid.”

Security breaches can also lead to HIPAA fines for not having an effective system in place to protect data. In the rush to install a security patch after a breach, an organization’s budget can take a serious hit through the costs of a new protection program and legal penalties.

These financial costs can add up quickly, so devising a plan requires understanding how security and HIPAA overlap
and where they diverge. Knowing the budget ramifications of a reactive strategy and the time it eats up is a good
place to begin.

Downtime plus Fines

In 2014, the FBI reported that the healthcare community is more vulnerable to data breaches than any other industry.3
This lack of preparedness is estimated to cost the industry billions over the course of 2015, according to Experian, a global information services company.4
Although this is a gigantic price to pay, what is most amazing about it is that these costs can be avoided, provided an organization is following an attentive and comprehensive
strategy. As far as the time it would take to find solutions, train employees, and then put the strategies in place, it’s estimated that it would require weeks to get an infrastructure up and
running again, while still conducting primary healthcare responsibilities.

Last year the Ponemon Institute conducted a study on the cost of a data breach and concluded that for a large organization, it would on average take 31 days to recover from a cyberattack.5
The total financial cost from that single instance would be roughly $640,000. BAs, however, have more to lose from a monetary standpoint than large healthcare systems. Small SaaS companies that
partner with CEs often don’t have a lot of money set aside to pay fines. Even one data breach resulting in one round of fines can put a BA out of business.

IT downtime can have implications well beyond time and money. For patients who require constant care, a compromised system can have detrimental and lifethreatening
consequences. Certain procedures may not be able to be monitored or replicated without online systems in action. These situations also affect one crucial factor with far-reaching implications: an organization’s reputation.

Reputation: loss of trust or customers

Any business seeks to establish trust with a consumer. Without it, no relationship will even exist, and for a healthcare provider, this sense of trust can have a greater meaning
than for a private-sector business.

Not only is data being maintained, but the healthcare provider is also responsible for delivering actual care, including restorative treatments, surgery, and wellness practices.
Yet hospitals don’t have the same concerns about a damaged reputation that other businesses do because people still must go to the hospital if they’re injured or sick. As with fines levied
due to a breach, losing trust is often a larger concern for BAs, who depend on an impeccable reputation to remain in good standing with their customers — the hospitals, healthcare clinics and other CEs. A BA who allows a breach to happen is likely to be fired by the CE who has hired them and will suffer other losses from that damaged reputation.

Taking a proactive approach to security, including the steps necessary to achieve Safe Harbor status, can greatly reduce the chance of having to face this kind of situation.
A central facet in that approach is being able to reasonably assess the spectrum of risks that hospitals, vendors, and service providers face and then devising a risk
management strategy for mitigating them. “Which security countermeasures you choose to implement,” Chris Hinkley of Armor explains, “depends on what your attack surface looks like, which determines what mitigation looks like.”

Getting a little nervous now?  You should! I hope the problem has been laid out sufficiently for you.

Check back tomorrow as we continue this topic. (if you want to see the whole issue at once, go to Armour and download their ebook)