For healthcare organizations, cyber breaches are less a question of “if” than “when.” Why? Personal medical information is worth 10 times more than a credit card number on the black market. What’s for sale? Names, birth dates, policy numbers, diagnosis codes and billing information. Your health credentials can go for about $10 each and may be used to create false insurance claims or fake IDs to buy medical equipment or drugs for resale. Unlike credit cards, which tend to be cancelled quickly after fraud is detected, it may take years to realize that your health information is being used fraudulently.
2015 witnessed four of the five largest healthcare data breaches in history – Anthem (78.8 million individuals), Premera Blue Cross (11 million), Excellus Health Plan (10 million) and the University of California at Los Angeles (4.5 million). Already in 2016, Hollywood Presbyterian Medical Center was impacted by ransomware, when hackers demanded $3.6 million in Bitcoin for the return of its servers including its electronic health record system (ultimately paying $17,000 in ransom within a week of the attack).
In light of this imminent threat, what is a healthcare organization to do?
Invest in encryption
- With declining reimbursement and cost pressures, many have been slow to ramp up health information security and build encryption into software used to create electronic patient records. According to Modern Healthcare’s recently released 26th annual Survey of Executive Opinions on Key Information Technology Issues, more than half (53%) of all providers this year say their organizations are encrypting personally identifiable data in storage, so-called “data at rest.”
- While there may be some sympathy for healthcare organizations that have been targeted by hackers, sympathy goes out the door when consumers learn that they didn’t take the basic step of encrypting patient data. Anthem and UCLA Medical Center learned this lesson the hard way.
Early identification and communication wins the day
- A 2015 survey from TransUnion Healthcare found that nearly half of consumers (46%) expect a response or notification within one day of the breach and 31% of consumers expect to receive a response or notification within one to three days.
- While this may seem like a no-brainer, there was a significant lag in identification and communication of UCLA’s data breach. UCLA started investigating a potential data breach in October 2014, but didn’t announce the breach until July 2015. In contrast, Anthem discovered its breach on January 27, 2015 and announced it on February 4, 2015. The critics harshly attacked UCLA for its communication timeline, while Anthem won some support due to its quick response.
Be ready
- Here’s your warning. If you are a healthcare organization, you need to be ready for a cyber breach. We’ve seen attacks increase steadily, with the stakes continually rising. Organizations with a comprehensive cyber breach communications plan react smarter and faster. Demonstrating that you took every possible step to help prevent the crisis, from encrypting data to developing a comprehensive plan, moves the organization from villain to victim and helps to fend off any potential criticism.
- Are you ready for a data breach? PadillaCRT’s Crisis IQ tool is a 3-5 minute questionnaire that can help you find out.
At the end of the day, what’s at stake for healthcare organizations, and provider organizations, in particular? For starters, affected organizations can generally expect lawsuits from affected patients, citing violations in consumer and patient privacy protection laws. But, how does a cyber breach impact the organization’s reputation? TransUnion Healthcare’s survey found that more than half of recent hospital patients are willing to switch healthcare providers if their current provider has a data breach and 65% would avoid healthcare providers that experience a data breach.
In this new world order, can consumers afford to be so reactive to data breaches? Or will they become immune to them as they become the new normal?