On a regular basis in this blog, we counsel business leaders to think like big corporations. Large businesses budget for cyber security and recovery costs – smaller-sized size businesses would be wise to do the same.
This advice goes double for any business operating in the healthcare sector.
Why? Because your industry is ranked as the one most at risk per both the Ponemon Institute and Trend Micro, suffering for hundreds of data breaches. Some security consultants estimate that one in every 10 U.S. healthcare firms suffered at least one data breach during the past two years.
And the threat isn’t limited to sprawling organizations. Ninety percent of the worst breaches last year were suffered by providers, which tend to be smaller companies with fewer numbers of files. The Office for Civil Rights (OCR) of the Department of Health and Human Services, the agency that investigates HIPAA infractions, now reviews incidents with fewer than 5,000 affected records.
The scope of this mounting cybersecurity threat – the full range of small to large operations – is making data breaches in healthcare the most expensive of any industry in the U.S. The costs come from a potentially debilitating chain of events including downtime, notifying and protecting customers, investigation, and possible regulatory fines. For example, in January 2017 OCR announced a $475,000 settlement with just 836 affected individuals and a $2.2 million settlement over 2,209 records. Damaged reputation and lost customers are harder to quantify, but surely last longer and drain unseen dollars, too.
How do you mitigate these costs? Here’s a recommended regimen for healthcare businesses:
- Train all your staff. Across all areas of your organization, human errors can drain as much as 4% of revenue. Most breaches result from one person’s mistake, unwitting or careless. But people are your biggest line of defense, too. A recent study featured in HealthData Management suggests your organization can decrease security risk by as much as 70% by increasing awareness of the pivotal role employees play.
- Identify and fix your biggest operational risks. Then you can plan what you spend and when. Currently, healthcare organizations spend just 3%-10% of their IT budgets on security; when finance, banking and the federal agencies spend twice that much.
- Develop and test your breach recovery plan. A good plan includes containment, corrections and prompt notification. Evaluate identity protection services so you can enroll your patients quickly.
- Consider cyber insurance. Healthcare businesses are prime targets, so the benefits may outweigh the cost.
You don’t have to go it alone. Hiring an IT Managed Services Provider (MSP) can reduce the likelihood you’ll suffer an attack. Their experts stay current with best practices and constantly evolving threats — and guide your security and recovery plan. Dollars spent here reduce the dollars you must spend if a breach occurs, in hard costs, lost time and damaged reputation.