Guest Column | July 12, 2016

Privacy And Security Compliance In Healthcare: Data Breach Costs Continue To Rise

Healthcare Privacy Compliance

By Peter Merkulov, Vice President of Product Strategy and Technology Alliances, Globalscape

As threats to the security of high-value information become more sophisticated and attacks on IT networks grow more aggressive and persistent, so too does the emphasis on regulations intended to set standards for data management and security. As a result, compliance programs have become a priority for responsible organizations. This is especially true in healthcare, where the combination of personal health information (PHI) and financial data represents the crown jewels for hackers seeking to cash in on the high prices such files fetch on the black market.

The fast pace of innovation from within the technology industry and hacker communities means new challenges emerge with stunning regularity. Laws such as the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its complement, the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009, are the basis upon which healthcare organizations build their security and compliance programs. Yet much has changed in the two decades since HIPAA went into effect. The rate at which data is created has grown exponentially, and the emphasis on digital transfer and communication in a mobile world means traditional security and management methods are obsolete.

Because of regulations like HIPAA and HITECH, as well as the state and federal regulations associated with data governance and the protection of personally identifiable information (PII), data security is a core business requirement for most organizations. Unfortunately, too many view and treat security and regulatory compliance programs as a thankless and burdensome task. Security and compliance are often seen as an impediment to running an efficient, profitable organization. As a result, the people and departments with a responsibility for these functions are typically understaffed, underfunded, and lack meaningful support from the C-suite.

It would be easy to complain about such circumstances, but it would be far better to change the equation by understanding the benefits of a robust compliance program that has minimal impact on productivity, reduces the operational burden, and, when implemented correctly and with support across all levels of the organization, may help avoid steep financial losses associated with a data breach.

According to the 2016 Ponemon Institute Cost of a Data Breach Report, the global average cost of a data breach was $158 per breached record for an average total cost of $4 million. In the U.S., the average cost was $221 per breached record, or more than $7 million per incident.

Those numbers represent a wake-up call for all industries, but for the healthcare industry the results were significantly worse. The global average for a healthcare data breach figured at $335 per record, or an overall average of more than $11 million. It’s not all bad news, however. The Ponemon report outlines a number of factors that can reduce the cost of a data breach should one occur in your organization, many of which are common components in mandated security programs.

Among the top factors for reducing the financial impact of a data breach are the presence of an incident response team, extensive use of encryption and data loss prevention technology, employee training, business continuity management, and data classification. Each of these should be part of a comprehensive information security policy, a critical document that many regulators look to as evidence that an organization has taken reasonable steps to prepare for the possibility of a data breach.

Critical to the success of an effective security program is choosing management and security tools that are easy to use. It has been proven complexity is the enemy of security as staff, given tools that are difficult to use, will find workarounds that are likely to put security at risk. Security tools, therefore, must not only meet and go above and beyond regulatory requirements but also satisfy the ease-of-use needs of the frontline staff. This means IT and compliance teams can have more trust in their colleagues, and reduce any policing burden.

The good news is that simple, effective tools empower entire teams — not just IT security — to play a key role in maintaining compliance. Coupled with regular compliance training that explains the individual’s responsibility for security makes employees feel involved in maintaining the organization’s security posture. When everyone understands that security and compliance is a shared responsibility and not just the domain of IT and senior management, vigilance rises.

Yet while good tools and training can go a long way toward reducing risk, human error continues to be a significant factor in data security and accounts for 25 percent of all data breaches, according to the Ponemon report. The right tools can help address this persistent problem by introducing some level of automation into data management processes. Ensuring distributed files arrive at the right place at the right time, for example, can be accomplished with automated, secure information exchanges, reducing the risk associated with human factor.

At a time when the migration to digital records management is accelerating under mandate of the Affordable Care Act, the fast, reliable, and secure storage and transfer of medical data will only become a more important security and compliance factor over time.

Security and compliance remains a challenging yet vital goal of healthcare organizations’ data management programs, but investment in the right tools and technology can go a long way to reducing risk and maintaining productivity. A strategy that takes a holistic approach by combining an appreciation for the potential consequences of a lax security posture with a plan designed for the challenges unique to healthcare is the best way to protect sensitive data and minimize the risk of a breach — as well as the cost of a data breach — to the organization.

About The Author

Peter Merkulov serves as Vice President of Product Strategy and Technology Alliances at Globalscape. He is responsible for leading and overseeing the product strategy, product management, product marketing, and technology alliances teams. Prior to joining Globalscape, Merkulov served as Executive Vice President at Kaspersky Lab North America, where he oversaw the expansion of the business within North America and was second in command of their North American operations. He also served as Kaspersky Lab’s Chief Product Officer, where he drove the adoption, development, and execution of their long-term product strategy. Merkulov also spent a number of years as the Vice President of Technology Alliances at Kaspersky Lab where he led the global alliances strategy and technology partner programs. Merkulov is a graduate of Moscow State Institute of International Relations and is fluent in English, Russian, and Swedish.