In the news nearly daily there is talk about a data breach, a hacking incident, or a cyber crime. Most practices do not think about this until it happens to them, unfortunately it could be devastating. Most experts now state that it is not IF this happens to you, but WHEN. The costs associated with a breach are widespread, see below for some examples.
- notification costs (postage, call center, toll free numbers, etc.),
- remediation costs (network scans, forensics, etc.),
- reputation management (online and in print),
- depending on the cause of the breach, you may encounter fines and penalties.
According to the Ponemon Institute, medical breaches are more costly ($408 ) than other small businesses ($148) per record. For example, if you have 5,000 patient records and you can’t determine which of the records were accessed or compromised you must notify all of the patients. That equates to $2,040,000.00. The main cause of data breaches were 48% due to malicious code or criminal attack, 27% due to negligent employees or contractors (business associates), and 25% due to system glitches and business process failures. When it comes to reputation management, this is critical after a breach. Especially in health care since it has the highest rate of churn because patients have more choices.
We are taught to be proactive with our health. We exercise, eat right, and make sure we get enough sleep. We see our physician to make sure our blood work has the correct levels and we have tests performed to catch any early detection of disease.
We should do the same for our business. Just think what would happen to the business side of a medical practice if their data was compromised, stolen, or encrypted. Most small businesses do not survive after a data breach. Here are some helpful hints to protect your practice and your business:
- Conduct a network security audit to ensure your network is as secure as possible.
- If you do not have an enterprise firewall, add one to your network. Be sure to have custom security policies implemented on your device.
- Review all of your computers and be sure to use business operating systems, antivirus/malware, and software.
- Work on your Risk Management Plan, understand your vulnerabilities and mitigate them to the best of your ability.
- Education. Keeping all staff including the physicians educated on safe computer practices and only permitting work related surfing on company computers. Knowledge about the dangers and consequences of their actions can greatly reduce the chance of a breach.
- Make sure the business associates that you use are HIPAA compliant. When you use other companies to assist you, it is the responsibility of the practice to ensure they know how to protect your data.
- Invest in cyber liability insurance. Cyber liability insurance covers the cost of notifying patients, data restoration, extortion, and reputation management. It is best to obtain a policy from a knowledgeable agent that specializes in this area since there are many variables in this type of coverage. Also, may sure you read the exclusions. You may not have the coverage you think you do. Many medical malpractice or general liability policies have small token amounts included, this is NOT enough. Review the number of medical records, paper and electronic and insure them accordingly.
To find out more about how our automated HIPAA compliance platform can help your organization click here: