Cybersecurity should be at the forefront of any business’ mind, and this is especially true when it comes to healthcare organizations. Healthcare organizations have become the primary target for hackers due to the wealth of information they hold on patients. Read the healthcare cybersecurity facts you need to know below.
Healthcare Cybersecurity Facts
- Human error causes the majority of breaches
- Implementing an incident response plan can mitigate breaches
- Breach investigations may be drawn out and you could face costly fines
- Breach victims can open state investigations
- Reputational damage and downtime can lead to lost profits
- Some breaches lead to businesses closing permanently
- HIPAA compliance protects you against breaches
Human error causes the majority of breaches
According to Cybint, 95% of breaches are caused by human error, so when it comes to healthcare cybersecurity, your employee is ultimately your biggest weakness. Over the past couple of years, this issue has been exacerbated by the dramatic increase in the remote workforce. Ponemon Institute’s annual breach report found that there was a 10% increase in breaches compared to the previous year, which can be largely attributed to the increase in the remote workforce. This is why training employees on cybersecurity best practices is just as important as implementing security measures to secure data.
Implementing an incident response plan can mitigate breaches
In today’s world, breaches are inevitable. Being prepared for the inevitable breach, can mean all the difference when it comes to associated costs. According to the Ponemon Institute, organizations that had a tested incident response plan reduced the cost associated with the breach by 54.9%. This is because these organizations were able to more quickly detect the breach, making it easier to contain and thus reducing the damage caused. The damage done when a breach is drawn out can often lead to downtime, affecting business processes and attributing to loss in revenue.
Breach investigations may be drawn out and you could face costly fines
Healthcare organizations that are breached are often investigated by the Department of Health and Human Services Office for Civil Rights (OCR). The purpose of these investigations is to determine whether or not a HIPAA violation led to the breach. In many cases, OCR investigations can last years, especially when the organization has failed to comply with HIPAA requirements. Healthcare organizations that are found to have failed to meet HIPAA requirements are subject to fines, corrective actions, and OCR monitoring.
Breach victims can open state investigations
Although under the federal HIPAA law individuals do not have a “private right of action,” as in the right to sue a healthcare organization for a HIPAA violation, individuals can file lawsuits at the state level for violations of a state consumer privacy law or data security law.
Plaintiffs can file suit, as long as:
- The state consumer privacy law or data security law expressly provides for lawsuits to be filed, and
- The lawsuit is alleging a violation of the state’s privacy or data security law (as opposed to a “HIPAA violation”).
When breaches are large-scale, affecting individuals in multiple states, plaintiffs can file multi-state lawsuits against the breached healthcare organization. In 2020, a multi-state case filed against Anthem was settled for $39.5 million, after 43 states joined in a case regarding a massive phishing incident.
Reputational damage and downtime can lead to lost profits
Critical business functions can be affected as the result of a data breach, which can cause disruptions in operations. These disruptions coupled with the breach itself can damage a business’s reputation. Studies have found that 29% of businesses experience a loss of revenue as the result of a breach, with 38% of those businesses suffering a revenue loss of 20% or more.
Some breaches lead to businesses closing permanently
In some instances, organizations never recover from a breach. The costs associated with informing affected patients, and dealing with the aftermath of the breach have caused businesses to file for bankruptcy. In several cases, these healthcare organizations have been forced to permanently close their doors after a breach.
HIPAA compliance protects you against breaches and fines
HIPAA compliance and cybersecurity go hand in hand. Several key components of HIPAA bolster an organization’s cybersecurity practices, making this one of the most important healthcare cybersecurity facts.
HIPAA requires healthcare organizations to:
- Conduct annual employee training so that they adequately protect patient data;
- Have an incident response plan in place to enable quick detection and recovery from breaches; and
- Conduct annual security risk assessments to identify deficiencies in security practices.
Not only does HIPAA compliance prevent breaches and aid in breach detection, it also protects organizations against fines. When a healthcare organization is being investigated by OCR as the result of a breach, OCR determines whether or not the organization’s negligence led to the breach. When healthcare organizations have met all of HIPAA requirements, they have made a “good faith effort” to ensure the privacy and security of protected health information, and thus are not subject to fines.