$5.6 Billion a Year: The Cost of HIPAA Breaches to the Healthcare Industry

A recent announcement from the Ponemon Institute has shown the serious threat cyber attacks pose the healthcare industry and should serve as a warning that security must be improved.

The cost to the industry is massive. Data breaches are estimated to cost the healthcare industry $5.6 billion a year, and those fund could be put to much better use improving healthcare facilities and conducting important research.

While the report shows there has been a small reduction in the number of data breaches reported last year, the volume of patient records affected is considerable and the number of cyber attacks on healthcare providers – and other covered bodies – has grown at a tremendous rate with the number of hacking related incidents having grown by 100% since 2010.

While targeted hacks on Insurers and healthcare providers is clearly on the rise, many data breaches are caused by ignorance of data security rules and simple carelessness by physicians and hospital employees. It may not be possible to prevent data breaches from occurring in all cases – hackers are using more sophisticated methods to gain access to healthcare data – but the volume of data breaches can be minimized and the number of people affected can be minimized by adopting basic security measures and tackling sloppy working practices.

Larry Ponemon, founder and chairman of the Ponemon Institute remarked, “The people in the healthcare industry are good people who sometimes do stupid things, and that is the source of a lot of the problems,” he added “they’re trying to get their work done, they feel under pressure, they’re in the business of caring for patients, and they don’t want to waste time to do more security or take that extra step to protect privacy.”

The growth in the use of mobile devices in the healthcare industry makes privacy violations much more likely to happen in the future. Android and iOS phones enable information to be instantly sent to work colleagues and while this can improve the care given to patients; their privacy is being put in danger. Many of the devices being used to send PHI are not safe and do not employ data encryption. Hackers may not be interested in individual personal records sent via unsecured text messages when there are millions of records to be obtained from insurance companies and healthcare providers, although the devices still pose a major risk.

Healthcare data is also now being shared more often since the move to electronic health data records. Covered bodies employ business associates to coomplete essential functions, such as website maintenance, providing cloud storage and developing software, and many of these companies and people are given access to PHI.