Avoiding the High Cost of Breaches

Analyst Offers List of Preventive Steps
Avoiding the High Cost of Breaches
A total estimated price tag of nearly $1 billion for dealing with the aftermath of major breaches reported to federal authorities so far should motivate healthcare organizations to take aggressive steps to improve security, one analyst advises.

Christopher Hourihan, manager of development and programs at the Health Information Trust Alliance, bases his estimate on the total cost of healthcare breaches on the Ponemon Institute's calculation of an average of $204 in costs for every compromised record, across all industries.

As of Aug. 25, there were 146 cases affecting 4.8 million individuals on the list of major breaches compiled by the Health and Human Services' Office for Civil Rights.

In addition to direct costs -- such as a forensic investigation, modification in security strategies, legal defense and credit protection for victims -- organizations face hefty indirect costs, such as the loss of current and new customers who no longer trust the organization, Hourihan notes.

Prevention Steps

In an interview, Hourihan outlines key breach prevention steps. They include:

  • Conducting a detailed risk analysis. "Focus your limited budget on the highest risk areas," he stresses;
  • Encrypting mobile devices and media as well as desktop computers. Although the theft or loss of mobile devices is the leading cause of breaches so far, several incidents have involved the theft of desktop devices, he notes;
  • Working with business associates to ensure they take adequate security steps. Relying simply on a business associate agreement "is grossly inadequate," he says. In cases where relatively low risk is involved, organizations should review business associates' documentation of security steps and interview executives about policies and enforcement. In higher-risk scenarios, organizations should consider hiring a third party to review a business associate's security program and develop an action plan
  • Educating staff about security procedures and the reasons behind them. For example, physicians, nurses and others should be aware that "a lack of security can affect the safety of patients," such as if their records are altered or unavailable;
  • Investigating whether to limit the amount of patient information stored on mobile and desktop devices, relying instead primarily on network drives and other central storage
  • Requiring vendors that remotely host electronic health records to spell out their approach to access control, vulnerability management and other security strategies;
  • Guarding against data loss, such as by banning file sharing programs on computers. "Make sure people are aware of the risks of downloading from an untrusted website," he says.

Hourihan recently conducted a detailed analysis of breach statistics based on information on 108 breaches reported to federal authorities. That analysis determined, for example, that 20 percent of cases involved business associates.

At HITRUST, Hourihan leads the ongoing development of the Common Security Framework. The framework helps organizations demonstrate security and comply with various regulations, including the HITECH Act and HIPAA.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.