A recent study underlines the costly recovery process that can stem from healthcare cybersecurity breaches.
- As previously discussed, healthcare cybersecurity breaches can have a costly and lengthy recovery process. Facilities must not only grapple with potential HIPAA fines – costing anywhere from $100 to $50,000 per violation – but they also will need to prove to their patients again that they can keep their protected health information (PHI) secure.
In the last year, numerous healthcare data breaches have shown the dangers of providers and insurance companies having lax security measures in place. The sector lags behind other industries – such as finance – in terms of cybersecurity measures. It could possible be for this reason that healthcare was the most frequently breached industry last year.
According to the 2014 Cyber Claims Study by Net Diligence, 23 percent of reported cyber insurance claim payouts were from healthcare companies. The financial services industry was right behind, accounting for 22 percent of cyber attacks.
The fourth annual cyber study interviewed insurance underwriters about data breaches and the claim losses they sustained. Net Diligence looked at the type of data exposed, the cause of loss, the business sector in which the incident occurred and the size of the affected organization.
Contrary to other studies determining the factor behind the data breach, hackers were the leading cause of cybersecurity issues, according to Net Diligence data. Hackers accounted for 29 percent of losses, while staff mistakes accounted for 13 percent and malware/virus accounted for 11 percent of breaches. Overall, insiders – staff mistakes and rogue employees – accounted for almost one-quarter of the dataset, the report stated.
For the healthcare industry specifically, insider threats had a huge effect. Specifically, only 23 percent of the claims in the dataset occurred in healthcare, yet that sector was responsible for 40 percent of malicious insider incidents. Additionally, malicious incidents tended to expose a larger number of sensitive records than did unintentional ones. Malicious incidents that exposed records were approximately double that of unintentional incidents, the data showed.
“The same holds true for costs,” the report explained. “Despite the fact that the single largest payout for an insider claim event was caused by a staff mistake, overall, malicious incidents tended to result in much higher costs.”
Regardless of the type of organization, the cost factor can be devastating.
“The two largest claim events had virtually nothing in common – one involved a small number of PHI records and the other a large number of PCI records – yet legal/regulatory costs for both were in the millions of dollars,” the report said.
Legal costs could also have huge effects on organizations that experience a data breach. The average cost for legal defense was $698,797, while the average cost for legal settlement was $558,520.
Healthcare cybersecurity and overall HIPAA violations committed by organizations will continue to be a main focus for regulators going into 2015. Last month the Office of Inspector General (OIG) announced that its 2015 Work Plan will bring a greater focus to its scrutiny of certain areas of HIPAA compliance. The OIG is going to review hospitals’ EHR contingency plans for the first time, and will also determine the extent to which hospitals comply with contingency planning requirements of HIPAA.