For many things in health care, if you don’t spend the energy and resources to reduce risks now you will likely pay for it later. However, if you wait until later it will cost more to take care of the problem than it would have to prevent it. We all know if we eat healthy, exercise and get our routine medical and dental examinations the risk of serious health conditions is reduced. Catching a disease early could mean the difference between surviving or not. There are of course exceptions. We can all probably think of someone who did not embrace a healthy lifestyle and lived past ninety. And we might also know someone who took very good care of themselves and still got cancer or had a heart attack. For example, Jim Fixx, author of The Complete Book on Running and an avid, fit runner died at age 52 of a heart attack.
So what does this have to do with your privacy and information security program? It is the same issue. Strong privacy and information security measures are good preventative medicine. If an organization does not expend the resources to put in place strong privacy and data security measures to prevent, detect and respond to breakdowns and compromises to the system there will be issues. Most agree for healthcare organizations it is not a question of if but when. It is similar to the patient who knows there is plaque in the coronary arteries and that it will impact cardiac function. The unknown is how much the impact will be and when it will occur. But the patient might be able to reduce or even avoid the impact with a change in diet and an increase in exercise.
Impact of Prevention in Healthcare Privacy and Security
One does not need to look far to see the impact of healthcare’s lack of privacy and information security preventative medicine. Breaches are occurring with higher and higher frequency. The Office for Civil Rights (OCR) wall of shame has almost 1,660 entries for organizations reporting breaches affecting more than 500 individuals as of mid-September 2016.
Whether the issue is a hack because the organization has a weak security infrastructure, significant system down time because there is not a strong business continuity/emergency preparedness plan, or failure to recognize identity theft because the organization is not monitoring accesses to its system or the unencrypted lost or stolen laptop; strong privacy and data security measures can help reduce the risk of all of these. Yet there are still health care organizations who don’t put these measures in place. Why?
Often times it is a matter of where to expend resources. So how can the leaders of the organization be convinced spending money on privacy and information security will result on a positive return on investment? It is often difficult to “sell” this to business leaders. They understand return-on-investment, but for these risk reduction and avoidance measures the ROI is generally only quantifiable if there is an incident.
Cost of a Breach
While difficult, it is still worth the effort. First, present information on what an incident might cost the organization. There are helpful resources to quantify this, such as the 2016 breach cost study conducted by the Ponemon Institute. The total number of entities surveyed was small (62) but the information identified was consistent with prior years’ trends. The average cost of an incident per record compromised across all industries was $221. The cost per compromised health care record was $402.
The study also identified the direct costs associated with a data breach were only about one-third of the total costs. Indirect costs accounted for the remaining two-thirds. Indirect costs encompass the cost of having personnel deal with the data breach instead of dealing with operation of the organization. Part of this cost is having individuals responsible for patient care not providing patient care because they are helping with the investigation or attending re-training. Based on the method for calculating indirect costs it appears the cost of the clinician’s time away from patient care is included (their salary) but not the lost revenue because there are no patient charges being generated by that same clinician. So the cost is likely greater than indicated.
OCR Enforcement Actions
It may also be helpful to present evidence of OCR’s ever increasing enforcement actions. In the first two-thirds of 2016, OCR had resolved cases with ten entities for just over $20.3 million dollars. That is over three times the total dollar value for resolution agreements settled for the prior year. The average was just over $2 million per entity but five of the ten accounted for $17.1 of the total, which is an average of almost $3.4 million each. In 2015 the OCR settled cases with six organizations for just under $6.2 million. One organization that year paid $3.5 million so the average for the remaining entities was just under $540,000.
OCR also reported it handled nearly 21,156 complaints in 2015 which was almost a 20% increase over 2014 and more than double what was handled in 2012. It is becoming abundantly clear that enforcement is on the rise along with the cost of responding to and handling a privacy and data security incident.
When a significant breach occurs the cost to investigate it, remediate the underlying issue and deal with the remainder of the aftermath can be several times what the ultimate settlement with OCR might be. Plus it is difficult to quantify the impact on the organization’s reputation. Calculating some simple numbers for leadership can bring this home. If the average cost of a compromised record is $402 and if the breach involved 1,000 individuals, it would be cost over $400,000. If that same breach involved records of 10,000 then the cost would be over $4 million dollars.
Another method of attempting to persuade them is a reminder of the mission of the organization. Most healthcare organizations will say providing high quality care to patients is the cornerstone of their mission. But when the leaders of the organization talk about the mission how often do they include caring for patient information as part of patient care. This expanded view of what it means to provide patient care may make it easier for health care leaders, many of whom are health care providers, to put in to context that expenditures for privacy and information security are part of the cost of caring for patients.
Good preventative medicine is always recommended by health care providers, but that is not a guarantee the patient won’t get sick. Similarly, strong privacy and information security features cannot guarantee the organization won’t experience an incident, but like preventative healthcare, the organization can hopefully avoid incidents or significantly reduce the impact when they do occur.