Attention risk managers: 3 reasons you need to focus on patient privacy (And 2 things you should do right now)

The security concerns of the healthcare industry are well-known. Attacks on patient data have risen 125%1 in recent years, with 90% of all organizations suffering from at least one data breach in the past two years2.

Add in the revenue uncertainties driven by a move from fee-based to outcome-based care and the situation gets even more dire – 7 out of 10 people are likely to choose a hospital that hasn't been plagued with security issues3.

The industry is in a serious quandry. Yet the patient data of most healthcare organizations still suffers from what can only be described as benign neglect due to static IT budgets and lack of a skilled workforce.

What's most troubling is the lack of attention the issues of patient privacy and data security have garnered from healthcare executives. Despite the rapid escalation of threats the industry has faced in the past few years, cybersecurity is only just now being noticed at the highest levels of healthcare organizations. Even Risk Managers – those who are responsible for quantifying and prioritizing all risk in the organization – have been difficult to engage.

In some ways it's understandable why patient privacy has taken a back seat in terms of competing priorities for Risk Managers. The physical safety of the patients will always be the biggest focus. But cybersecurity threats cannot be underestimated. Patient privacy might be the biggest cybersecurity threat right now, but a rise in malware that targets medical devices means that significant risks to patient safety aren't far behind.

Risk Managers have got to take control of this issue, or else face a number of very serious ramifications:

Significant fines
The Department of Health and Human Services is not playing games. In late 2016 Advocate Health Care was levied with a $5.5 million fine – the largest HIPAA settlement ever received – for multiple data violations. Jocelyn Samuels, Director with the Office for Civil Rights (OCR), left no questions about the OCR's commitment to punishing organizations that don't sufficiently defend patient privacy. "We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals' ePHI is secure."

Given the fact that the average cost of a data breach has already eclipsed $2 million4, huge financial losses loom over the heads of every organization that delays in adequately securing patient data.

Loss of reputation
According to a recent healthcare survey conducted by TransUnion, more than half of recent hospital patients would be willing to switch healthcare providers if their current provider experienced a data breach. That in and of itself is concerning. It gets even worse, however, when you consider the fact that of those patients willing to switch providers, 73% of them are age 18-34. Potentially long-term patients that could be walking away from a provider forever, over an issue that was most likely preventable.

-Threat to patient safety: Given the low levels of security inherent in the majority of medical devices, malware poses a clear and present danger. One easy example is the Zotob worm, which not only caused fetal heart monitors in a natal intensive care unit to keep rebooting, but also repeatedly infected research servers posing as MRIs and defibrillators. That's just one example of a whole host of threats that have the power to disrupt care and even possibly injure or kill patients.

-Board of Director Liability: Board members are generally not liable for the actions of lower-level employees. They can be, however, if the employee's actions -- such as negligence in protecting patient data -- affects the welfare of the company.

- Federal Trade Commission (FTC) actions: In this day and age, simply complying with HIPAA regulations is not enough. The FTC has been increasing its authority under the FTC act and can levy additional sanctions for unfair or deceptive business practices.

Taking Control
There are two main steps Risk Managers should take as soon as possible to prevent their organizations from becoming the next cybersecurity casualty.

1. Since you can't know where you're going until you know where you are, you should start by taking a fresh, honest look at the cybersecurity risks your organization faces. It may be that your preparedness levels are just fine. Until you assess the situation, however, you can't accurately quantify and prioritize the risk.

2. Engage in frank discussions with business leaders about how your organizations current protections stack up and what the organization's official approach to cyber security will be. Are you compliant with existing regulations? If so, do you consider that baseline level of compliance to be adequate protection? Discuss the pros and cons of transferring the risk (e.g. insurance) to mitigating it (e.g. deploying a behavior monitoring/analytics solution). You should also discuss either updating your existing incident response plan or starting the process of creating one.

The threats to patient privacy and data security are not going way anytime soon. If there was ever a time for "all hands on deck," that time is now. Risk Managers need to take a position of leadership in protecting their organizations, and they need to do it now, before it's too late.

1 16th Annual Benchmark Study on Privacy and Security, Ponemon Institute
2 16th Annual Benchmark Study on Privacy and Security, Ponemon Institute
3 TransUnion Healthcare Data Breach Survey
4 16th Annual Benchmark Study on Privacy and Security, Ponemon Institute

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2021. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Featured Whitepapers

Featured Webinars