Healthcare organizations always top the list of being most vulnerable to a cyberattack. Now that the world is dealing with the COVID-19 pandemic crisis, this is more true than ever. With a healthcare system under great strain and the increased use of telehealth to help care for people while also practicing social distancing and, hopefully, preventing further spread of the virus, sensitive health information is now vulnerable. On top of that, the World Health Organization has reported an uptick in phishing schemes targeting hospitals during the pandemic.
Looking back, in 2019 data breaches cost the healthcare industry $4 billion dollars. According to PR Newswire, 2020 will be even worse, with healthcare breaches taking a greater financial toll, threatening not only data, but the entire industry’s ecosystem.
This shift has been going on for years, but a perfect storm of increasing frequency and severity, exploding endpoints and higher patient expectations — not to mention COVID-19 — means that the jobs of records and information management leaders have gotten more complicated.
Look at patient trust, for example. The majority of people are deeply concerned about hackers walking away with their social security numbers or credit card data, but they believe healthcare institutions are some of the most trustworthy organizations out there. That said, their trust doesn’t extend to all points in the industry. Only 24% of individuals surveyed indicated high levels of trust in their hospital, according to HealthITSecurity.
All of this means there’s a lot of ground to lose, and once that’s gone, the price is high — and not just in dollars.
How Much Is a Reputation Worth?
Breaches are expensive, but it’s not just about the $429 average cost per lost or stolen record. It’s not even about the multimillion-dollar fines that haunt healthcare security news.
Since the Health Insurance Portability and Accountability Act (HIPAA) requires that individuals, the Department of Health and Human Services and the media be notified when a breach impacts more than 500 individuals, your garden-variety data breach can quickly turn into a PR and marketing nightmare — and an expensive one at that.
The initial notification is just the jumping off point. Those already-skeptical patients are watching the news, and it doesn’t take much for them to head to the hospital across town for their next surgery or diagnostic visit. In this scenario, your marketing department now has to work double-time to manage public perception.
A study out of the American Journal of Managed Care found that hospitals spend 64% more on advertising post-breach for two years after an incident. In dollars, that means breached hospitals were spending almost three times more on advertising than the control hospitals — $1,713,000 versus $551,000 over two years.
But thankfully, patients are patient people — if you’re proactive. Recent Experian research reported by HIPAA Journal found that 90% of respondents would be somewhat forgiving if they knew a breached organization had a communication plan in case of a data breach.
Can You Put a Price on Patient Well-Being?
You’ve probably heard the story of the easily hacked infusion pump, but, unfortunately, that was just the beginning.
The “internet of medical things” is exploding, which is great for efficiencies, improving cost of care and patient engagement, but it spells a potential nightmare scenario on the security front. Deloitte reports there are over 500,000 different types of medical devices available, ranging from home monitoring devices to pacemakers, each one a potential weak link in the healthcare IT network.
This dynamic represents a dual threat. Every endpoint is a new door for hackers to gain access to valuable and vulnerable patient data, and in cases where devices can be controlled (like that infamous infusion pump), patient safety can be at risk. As we roll into 2020, expect to see an increase in smart devices and wearables — the rise of self-health measurement and the need for care in remote and rural locations will likely increase the number of devices and vulnerabilities even further.
That said, not all devices are created equal, nor do they pose equal risk to patient health. A hacked insulin pump could theoretically do more damage than a heart monitor, which is why it’s critical for healthcare security professionals to understand their individual organizational risk profiles before taking action.
Best Practices in an Age of Healthcare Breaches
As we move into a new decade, healthcare information professionals will need to take a multi-dimensional perspective on the impact of data breaches. While they are expensive to both hospitals and patients, breaches do encroach on a relationship founded on trust and investment in physical well-being, making security professionals guardians of their organization’s most precious asset.