Reports have splashed across the pages and screens of media outlets with frightening regularity about security breaches at healthcare provider organizations as well as patient data being held for ransom by opportunistic cybercriminals.
The Ponemon Institute, an independent research firm, noted in its 2016 "Benchmark Study on Privacy & Security of Healthcare Data" that breaches of information systems at hospitals are occurring with increased frequency, and will likely continue at an unabated rate as cyber threats evolve and cybercriminals become even more audacious.
The survey provides the viewpoints of people responsible for, or involved with, digital security at hospitals and hospitals' partners. As a leader of a medical group, you cannot say, "'That's not me or my problem." If anything, a medical group has more to worry about.
Interestingly, 95 percent of businesses that experience a breach are small companies. While hackers are not discerning when it comes to size, healthcare is at the top of the list. The reason healthcare is such a "high-value target" is that not only is it relatively easy to gain access to this information, the data has great value to the cybercriminals.
Costs of a Hack
If your group is hacked and patients' credit card information, social security numbers, and/or birthdates are taken, the Ponemon Institute estimates the cost of recovery to be more than $200 per record. Along with that cost of complying with state and federal mandates, while notifying all affected patients and covering an assortment of high-priced liabilities. There's also the price a group pays for eroded reputation. The National Cyber Security Alliance reports that as much as 60 percent of small and medium-sized businesses that experience a data breach go out of business after six months.
It's where the money is
The root cause of data breaches among most healthcare organizations is a criminal attack. It's the digital era's equivalent of Willie Sutton's response to the question, "Why do you rob banks?" Back then it was where the money was. Today it's in data stores at healthcare providers. In fact, 65 percent of respondents to the Ponemon survey indicated successful attacks targeted medical files and billing and insurance records.
On the deep web, the hard to get to, dangerous part of the Internet, one can find a virtual bazaar for credit card account information and other valuable data that quickly gets sold to the highest bidder.
To address this "what can I possibly do!?" circumstance, there's cybersecurity insurance. Not surprisingly it's one of the fastest growing forms of insurance, expected to grow tenfold over the next decade. Like most such forms of protection, this insurance transfers some of the financial risks of a breach to the insurer. However because it's a new insurance form, premiums are steep and the extent of a medical group's liability is often not crystal clear. Also, this insurance doesn't begin to touch the loss of revenue due to the damage done to your medical groups' reputation.
More Security, Less Risk
There is something simpler and appreciably less expensive a medical group can do. Medical groups can transfer and change where and how they house their patients' credit card information. If it's not on your system, it won't be stolen if you're hacked.
By working with a firm that can present statements and collect payments electronically, you remove the risk those credit card numbers represent from being your responsibility. Unlike your group, these services operate under industry-recognized security standards for storing, processing and transmitting credit card information.
All of this can be summed up with words you often hear being said to a patient at your group: "Let's take care of this now before it becomes something much worse."