The recent wave of healthcare data breaches and their extremely high recovery costs has reinforced the urgent need to invest in protecting the digital patient medical records healthcare organizations have spent billions of dollars to install, according to a recent report from Politico.
The report outlined several costs related to data breaches.
- One healthcare record can be exchanged for up to $50 on the black market, 10 times as much as a stolen credit card number.
- Legal costs and credit protection could amount to $20 for each hacked patient record.
- Hacks already cost the healthcare industry approximately $6 billion a year.
- It is estimated that $2 billion worth of health-related cyber insurance was sold on the black market last year, and the market is experiencing 20 to 25 percent growth per year.
Even with the passing of two bills intended to increase sharing of cybersecurity threat information among government agencies and the healthcare industry, new legislation alone won't solve the problem — no matter what bills Congress passes or how much the healthcare industry spends on protecting its data, the shrewdest hackers will continue finding ways to breach protected data systems, according to the report.
"The adversary is way ahead of us right now," Jim Nelms, chief information security officer at Rochester, Minn.-based Mayo Clinic, and who previously held the same position at the World Bank, told Politico.
Pain points for hospitals and health systems
Although the government has helped create threat-sharing networks for the healthcare industry, many health systems don't participate because they can't afford the costs associated with enhanced security experts say are necessary.
Additionally, there are no obvious, concrete benefits for healthcare organizations to make these costly investments, as health systems will seemingly never outsmart hackers. However, the risk of not investing in digital health information is enormous.
"You might pay for the best tornado-resistant roof and never need it," Carl Anderson of the HITRUST Alliance told Politico. "But if all you've got is a tarp and a storm comes, you're going to take a lot of heat for the damage to your house."
According to Lisa Gallagher, a cybersecurity expert at HIMSS, healthcare organizations should be spending at least 10 percent of their IT budgets on security, and up to 40 percent for companies that are just starting out, added Michael Garvin of Symantec. However, the current industry-wide average is just about 3 percent.
Filling in the gap
Security experts are rushing in to offer consulting services for organizations that don't have the bandwidth to create their own security teams. There is also significant demand for the role of privacy officers, whose duties may include cybersecurity and legal compliance. According to Politico, the International Association of Privacy Professionals, launched just under a decade ago, is experiencing 25 percent growth year-over-year and has 20,000 members.
Some academic medical centers that realized the risks of data hacking years ago have been spending millions of dollars in investments on staff, technology and consultants. According to Bonnie Siegel, an attorney and headhunter for cyber experts for the healthcare industry, said these professional have found a "seller's market" in healthcare.
"Top healthcare security positions used to average $135,000 to $175,000, but the salary is now typically in the $200,000 to $225,000 range, and I know people earning $300,000," she told Politico.