By Paul Brown, president, Apricorn
How much would a HIPAA violation really cost? Recently, one healthcare provider paid a class action lawsuit settlement of $3 million for losing two laptops, each with over 1 million unencrypted patient records.
With the amount of data breaches dramatically increasing, there have been many instances similar to this. Many providers find themselves falling short of HIPAA compliances and in turn, facing hefty fines and settlements.
In reality, settlements and fines are only a portion of what a provider would have to pay in the aftermath of a data breach. Other costs likely include identity theft protection/credit monitoring for the victims, loss of customers, and efforts spent trying to get systems back online/protected — and the risks and costs keep getting higher.
The Current Healthcare Industry Threat Landscape
The most commonly targeted industries are those that manage personally identifiable information (PII), such as healthcare, insurance, financial and others. Cyber criminals are often looking to make a profit off of social security numbers, credit card numbers and other valuable PII data points. Specifically, healthcare data breaches are on the rise — 328 US healthcare firms reported data breaches in 2016, up from 268 in 2015. And what’s worse, according to data from the Ponemon Institute, the average breach costs U.S. companies $221 per lost record, which is up from $217 per record in 2015.
Many times, a provider's biggest risk is its own employees. According to a 2017 Insider Threat Report, 74 percent of companies feel that they are vulnerable to insider threats, with seven percent reporting extreme vulnerability.
So what’s the first step in protecting your organization from external and internal threats? Encryption.
Navigating Through Encryption Waters While Remaining Compliant
It’s a fact: Your healthcare organization will need and want encryption in — whether it’s FIPS-level encrypted portable devices such as USBs or hard drives, or on the files themselves. Sometimes, regulations will require encryption and are very concise, presenting terms that would be nearly impossible to misunderstand. But, in other less ideal instances, regulations are unclear on the requirements of encryption, leaving a lot of room left for interpretation and assumptions. This is when providers can find their patient data and themselves dangerously under protected, or they find they are spending too much on unnecessary precautions.
When these unclear regulations are put in place, many providers turn to best practices to help them better understand what can and should be done. These can be provided by security experts or the government, but they are not always universal across applications.
A Simple Rule Of Thumb
HIPAA’s goal is to protect private patient information. The security rule within HIPAA states that encryption is not required but once a provider performs a risk assessment, they should decide whether encryption is necessary. And if the provider decides not to encrypt the data, they must provide an explanation of why they chose not to and what they are going to do instead to implement protection.
When deciding whether or not encryption is the right approach to achieving compliance, a business or organization within the healthcare industry should first conduct proper risk assessments. With global identity theft losses now amounting to billions of dollars, protecting sensitive data is now more crucial than ever before. Hiring a security expert or consulting with your internal team that is familiar with your organization’s needs and can assess where the deployment of encryption is most needed is your best route.
You can also explore more detailed information, such as HIPAA guides that are available to help shape your organization’s approach.
As a rule of thumb, it's better to be safe by using encryption than leave patient data unsecured and be sorry.