Cybersecurity and Protected Health Information: Not Being Prepared is Costly

By Teru Olsen
Attorney
Ryan, Swanson & Cleveland, PLLC

Original Publish Date: December 6, 2016

The healthcare industry has been the largest target of cybersecurity threats in the last five years. The average cost of attacks is rising year over year with the healthcare industry having the highest per capita cost of compromised records. According to surveys of benchmarked companies in the United States, the average cost of record compromised per capita of data breaches for the health industry is $402, compared to the next highest industry, Life Science, of $302, with the median being $221.¹ The heavy regulations, and requirements on companies when HIPAA violations occur, are driving healthcare companies to take a second look at how they handle personal health information, and what they can do to alleviate the burden involved in protecting against cyber threats and the costs involved in doing so.

While the industry is shifting toward maintaining electronic records of Protected Health Information (“PHI”), the greatest losses of PHI are still in printed records. However, as records shift to servers and the cloud, healthcare companies are becoming more susceptible to social engineering hacks, ransomware attacks, and risks from vendors that have access to the company’s electronic systems.

Healthcare organizations need to step back and understand the types of cyber threats to their business, and which adversaries might want to compromise them. Getting a plan in place is critically important to dealing with the risk. Oftentimes healthcare organizations are insufficiently prepared to answer these important questions:

How is PHI stored and encrypted? How often is it backed up?
What levels of access do employees have to these records?
What hardware is connected to the system? How often is the software patched?
Who is the first person that we call if a threat is detected?
How are employees trained to report potential threats?

Organizations should act now to establish an incident response plan. The plan should involve those at the C-suite level in order to conduct an initial inventory and assessment to educate those in charge of budgeting against the risk of a cybersecurity threat. Surveys show that once you know what valuable information you have, how your system moves that information around, and have an incident response plan in place for what to do if that information is threatened, you will have already greatly reduced the cost in dealing with a threat.

The cyber scams that threaten businesses are constantly evolving. Small and medium breaches are becoming more prevalent, and data shows that organizations experiencing PHI loss are spread fairly evenly among small, medium and large entities. As part of the analysis of addressing evolving threats to PHI and other information, there are multiple options available, like teaming up with a cybersecurity firm, binding a cybersecurity insurance policy, upgrading software and hardware, and increasing employee training to create a culture of awareness. These options should all be reviewed, and not just by those in the organization’s IT department, because there will always be a balance of weighing costs of security against the flow of operations.

Documenting the steps taken to address cyber threats is becoming more important as well. Many states are passing laws providing private rights to bring actions against organizations that have been hit with a cyberattack and have had records compromised. Class action lawsuits are becoming more prevalent and settlements in the hundreds of millions of dollars are not as outrageous as once believed. Circumstances such as not having any record of C-level employees being involved or briefed on the company’s cybersecurity protocols, failure to involve attorneys at the outset of a threat, and utilizing outdated software can expose healthcare organizations to terminal liability.

Contacting a cybersecurity firm is a simple first step. Connecting with attorneys who have relationships that can help your company identify internal value, assess risk, and recover a threat is another important step and well worth it. Remember, there are just two types of organizations when it comes to cybersecurity - those that have been hacked, and those that don’t know that they’ve been hacked.

Teru Olsen is a member of Ryan Swanson’s Litigation Practice Group. Reach him at 206.326.5736 or olsen@ryanlaw.com.

¹ Ponemon Institute Research Report, 2016 Cost of Data Breach Study: United States.