IT Insider Blog

steth

How Much Are Inadequate Security Risk Assessments Costing Healthcare Providers?

Posted by Mandry Technology Solutions on May 9, 2019 at 6:45 PM

Healthcare providers over the last decade have now become the target of cyber security attackers who exploit an industry weakened by historically low levels of security practices and insights needed to safeguard sensitive data. Governing bodies like the HHS and OCR are now increasing efforts to enforce tighter regulation as many healthcare leaders remain unaware of the risks involved with not adequately addressing compliance standards.

Mandates for a yearly comprehensive security risk analysis are often seen by many healthcare organizations as a singular event to be completed rather than an ongoing process to continually monitor and update security measures over time. This perspective can lead to an attitude of complacency around the potential risks of not taking a more proactive stance to remediate gaps in data security. Two areas that prove costly to many healthcare organizations are data breaches and enforcement penalties for areas of noncompliance.

What are the average costs of data breaches? Here are the figures:

Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data in 2016 found that during 2014-2015

  • Around 90 percent of healthcare organizations respondents suffered a data breach
  • Data breaches averaged than $2.2 million to resolve the consequences of the breach.
  • 3,128 Total lost or stolen records from the reported data breaches
  • 74% percent of respondents report the breach was discovered by a risk analysis or assessment.

From 2015-2018, fines levied by OCR for settlements or judgments totaled $78,774,400. The costs of data breaches can add up when considering the factors of remediation after an entities’ data is comprised. Average costs of a data breach can be anywhere between $2 to $4 million.

Here are the factors that contribute to that average cost:

  • Merchant processing fines
  • Forensic investigation
  • Onsite QSA assessments following the breach
  • credit monitoring for affected parties /Card re-issuance fees
  • Breach notification costs
  • Technology remediation costs
  • Legal fees/class action lawsuits
  • Lost revenue from reputational damage
  • HHS/OCR judgment/ settlement fines (to degree of culpability up to 50k per violation/capped at 1.5 million per incident)
  • Federal Trade Commission fines
  • State attorney general’s fines

 

Many entities might choose to tackle security risk assessments themselves but run the risks of not properly evaluating the severity of threats or may lack in areas of documentation or policy creation around security practices. Organizations need to have security assessments that create visibility encompassing security for the entire enterprise to ensure that compliance requirements are met. Such criteria are as follows.

Size: Enterprise wide/not just per facility or individual locations

Scope: Assessment of threats and vulnerabilities to a systems security controls and resources. Evaluation of the security safeguards to protect the confidentiality, integrity, and availability of system's and its data.

Approach: Should evaluate Administrative, physical and technical controls


Data breaches and failed compliance audits are not just relegated to organizations that fail to perform a risk assessment. Most often these incidents are the result of inadequate risk assessments that fail to be comprehensive or is updated infrequently to reflect systemic changes in the organization that impact areas of data security. The OCR will use discretion to enact penalties for instances where entities unknowingly violated regulations, however ignorance is not seen as a justifiable reason for entities to fail to implement appropriate safeguards. In 2017, CardioNet was fined $2.5 million when they failed to conduct a complete risk assessment and the PHI of over 1300 individuals were compromised due to a stolen laptop containing sensitive data. The OCR did not choose leniency in this case where CardioNet did not have awareness of its own security gaps.

Compliance evaluators like Mandry Technology take the approach of compliance as a service (subscription model) with a focus on continually reviewing and updating compliance posture and providing guidance around security risk remediation so that progress toward closing gaps is measured and tracked over time. This new model also allows healthcare stakeholders to have greater confidence that their organization always meets or exceeds security standards.

New call-to-action