Cybersecurity is the Next Consumer Decision Point

Don’t let vulnerability tarnish your reputation.

More than 25 million individuals have had their health data breached so far this year.[1] That’s 8% more than this time last year and 29% more than the same period in 2020. Eighty percent of the breaches reported through the HHS Office of Civil Rights Breach Portal this year were due to malicious attacks, which are increasing rapidly across healthcare organizations and their affiliates.

The headlines about cyberattacks are constant and the costs to organizations and communities are high. Breaches disrupt operational stability and put patients at risk, so it’s no surprise that increasingly savvy healthcare consumers are thinking twice about who they trust with their data.

Healthcare data: high volume, high value, high cost

The increase in cyberattacks on healthcare organizations is due to the high value and high volume of data they manage. Stolen health records sell for 10 times more than stolen credit cards. Why? Because healthcare data include four key areas of valuable information about people and systems:

  • Personally identifiable information (PII) like name, date of birth, social security number, etc.
  • Financial information like credit card and bank account numbers
  • Protected health information (PHI) like clinical information, health insurance and billing details
  • Sensitive company data like research information2

Most attacks occur via phishing, compromised business emails and penetrated software vulnerabilities. But there are rising risks in other areas like application protocol interfaces (API) security and insider attacks. And credentials were the most commonly targeted.

Healthcare organizations of all types, including business partners, are paying the price:

  • HHS Office for Civil Rights resolved eight healthcare data breach investigations from 2021 resulting in more than $13 million in collections.[2]
  • A malware attack on Scripps Health last year cost $113 million to remediate.
  • 56 breaches on healthcare organizations this year occurred as a result of an attack on a business partner or vendor, impacting nearly 8 million individuals.
  • Recent attacks on multiple revenue cycle management companies have exposed more than 1.4 million patient records managed by their healthcare partners.


Related article: You’ve already got the risk, now get the reward from your healthcare data.


The average healthcare data breach costs an organization $10 million – the highest of any industry. The average cost of lost business associated with each incident is $1.4 million due to system downtime, cost of lost customers and reputational damage.[3]

Breaches diminish trust. Trust drives consumer decision-making.

Healthcare consumers are concerned about protecting their data and choose organizations they can trust to keep their personal information safe. Once trust is diminished, consumers will seek options with other companies where they feel more secure. After a data breach, 8 out of 10 people say they will stop engaging with a brand or company to protect their information.[4]

In addition to losing trust in an organization’s ability to keep their data safe, patients also lose trust when care quality decreases. According to a 2021 CISA report, mortality rates increased as a direct result of cyberattacks.[5] Critical system downtime causes treatment delays which negatively impact outcomes and ultimately result in higher mortality.  

Not only are healthcare organizations seeing patients leave their system after breaches, but they’re also seeing more lawsuits as a result. In 2021, 43 lawsuits were filed against hospitals by consumers following data breaches, which just keeps the negative press circulating, causing further damage to already diminished reputations.[6]

Don’t put your patients or brand at risk

Hospitals and healthcare organizations need to make information security a top priority to prevent financial risk, avoid losing patients and maintain their reputational integrity. Here are quick tips to avoid significant damage:

Put consumers at ease – make sure their data is secure. Make cybersecurity part of your culture and ensure it’s part of your partners’ culture.

  • Establish a documented cybersecurity program and incident response (IR) plan following HIPAA and HITRUST protocol. The average cost per incident for organizations without an IR team or plan was 58% higher than organizations with established teams and plans.
  • Make sure security teams are adequately staffed to meet information security needs. Organizations with inadequately staffed teams had higher-than-average costs per data breach. [7]
  • Ask your partners and business affiliates about their security measures to ensure they are not putting your data at risk. Any company that interfaces with your data is a potential vulnerability putting you at risk of being exploited.

If an incident occurs, act swiftly. Once a data breach occurs, an immediate, informed response can help diminish the negative impact on your organization and community.

  • Be transparent with impacted patients. Don’t wait for 60 days to notify patients if you don’t have to. Quickly assess and contain the situation, validate the patient exposure and launch a breach investigation. Notify all impacted areas and patients with the facts and action plan.
  • Report the breach and required details to the HHS Office of Civil Rights within 60 days if 500 or more individuals are affected to ensure timely documentation and avoid noncompliance fines. Ensure your business affiliates have a protocol in place to notify your organization immediately following a breach to avoid delays and penalties.
  • Focus on reestablishing trust with patients. Once notification occurs, help patients navigate next steps. Consider providing complimentary services like credit monitoring to help them regain a sense of security and trust in your organization.

Prevent future threats. More than 80% of organizations impacted by data breaches have had one before.[8]

  • Don’t let history repeat itself when it comes to cyberattacks. Regularly review and revise your cybersecurity plan to anticipate new threats and prepare new responses to mitigate future risk.
  • Educate employees and partners on their role in preventing data breaches and best practices to keep information safe and secure. Regularly evaluate training initiatives to ensure they are effective and compliant with HIPAA requirements.

With more than 50 data breaches impacting healthcare organizations and their patients each month, cybersecurity will continue to be a critical focus for healthcare leaders as well as the patients they serve. Make sure you’re earning the trust of your community, keeping the confidence of consumers and maintaining your reputation by strengthening your commitment to information security.

____

Learn more about Ensemble’s commitment to information security, achieving the HITRUST Risk-based, 2-year Certification for our proprietary EIQ® revenue intelligence platform and our flagship facility.  

References:

  1. HHS: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information
  2. HITECH: Annual Report to Congress on Breaches of Unsecured Protected Health Information
  3. IBM: Cost of a Data Breach Report 2022
  4. Business Wire: 81% of Consumers Would Stop Engaging with a Brand Online After a Data Breach, Reports Ping Identity
  5. CISA: Provide Medical Care is in Critical Condition: Analysis and Stakeholder Decision Support to Minimize Further Harm
  6. Healthcare Finance: Patients increasingly suing hospitals over data breaches
  7. IBM: Cost of a Data Breach Report 2022
  8. IBM: Cost of a Data Breach Report 2022