By Scott M. McAuliffe, CPA, CISA, CFE, Risk Advisory Services Partner
Cost Effective Data Controls for Healthcare Practices
According to a January 8, 2020, article published by the HIPAA Journal, the healthcare industry now accounts for around four out of every five data breaches. The article references a survey conducted in late 2019 by Black Book Market Research that found the following:
- The cost to the healthcare industry from data breaches is expected to reach $4 billion in 2020.
- Spending on cybersecurity by physician organizations has decreased since 2018 and now stands at less than 1% of their IT budget.
- When money is spent on cybersecurity, solutions are often purchased blindly or with little vision or discernment. The survey showed that between 2016 and 2018, 92% of data security purchase decisions were made by the C-suite without any users or affected department managers being involved in the purchasing decision.
- Despite the threat of attack, 92% of healthcare organizations lack full time cybersecurity professionals and only 21% of hospitals said they had a dedicated security executive. Only 1.5% of physician groups with more than 10 clinicians said they had a dedicated security executive.
According to IBM’s Cost of a Data Breach Study, the average cost to a victimized health provider is $429 per stolen record, almost 300% more than the worldwide average cost per stolen record of $150.
While physician groups might believe there is little chance of being the target of a data breach that is not the case. According to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), in January 2020 alone there were a total of 25 data breach notifications submitted by healthcare providers, several of which were physician practices, totaling over 431,000 individuals affected.
As the fallout from the American Medical Collection Agency (AMCA) data breach impact continues to expand, it is becoming clear to providers that it is not enough to only protect data controlled by the provider itself. Providers need also manage the risk of the organizations with whom they share data.
Healthcare providers are in the business of patient health, not data security. Providers rightfully want to ensure the security solutions and controls that are implemented are delivering cost effective security.
Examples of Cost-effective Data Controls for physician and Healthcare practices
- Perform periodic security awareness training for all employees.
Why? Most malicious breaches start by targeting individuals in email. Users must be trained to spot these threats.
- Implement and test an incident response plan (IRP).
Why? According to IBM, on average, tested IRPs reduces the cost of a breach by 18%.
- Ensure all computers are patched and anti-virus is up-to-date.
Why? To stop email and web-borne malware from getting onto networks from user computers.
- Strong passwords with multi-factor authentication (MFA).
Why? Hackers are incredibly effective at stealing and guessing passwords. MFA largely eliminates the risk of unauthorized access from a stolen or guessed password.
- Extensive use of encryption, including PCs, laptops, servers for data in-transit and at-rest.
Why? Generally, stolen data that is known to be encrypted does not meet the legal definition of a reportable data breach.
For more ideas on how physician practices can implement cost effective data security controls, see Keiter’s Cybersecurity Desktop Guide.
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.