A rural medical center facing threats of data breaches discovered that hospital IT security investments go beyond just dollars and cents.
At a Glance
- Investing sufficiently in IT security not only is essential for a healthcare organization’s protection, but also is a responsibility to patients, and its success depends on its being addressed at all levels of management.
- Hospital data security breaches have the potential to cost as much as $7 million, including fines, litigation, and damaged reputation. Response and cleanup alone can cost hundreds of thousands of dollars.
- Developing and following an annual action plan for IT security can lower hospitals’ IT security costs in the long run.
Fraud and medical identity theft are at all-time highs across the healthcare industry as criminals seek to exploit sensitive and highly valuable information. The increased incidence of healthcare data breaches is in large part a consequence of digitization of patient information, but it has been fueled by indiscriminate attacks by mostly foreign-based organizations.
In a recent survey conducted by the Ponemon Institute, researchers found that healthcare data breaches increased 32 percent from 2010 to 2011, with the average cost per organization growing 10 percent in 2011. At the same time, research indicates the healthcare industry is not putting necessary resources into IT security, with surveys showing the industry spends little more than half as much as other regulated industries do in this area. Wyoming Medical Center in Casper, Wyo., is a notable exception to this trend.
Lessons Learned in Wyoming
Wyoming Medical Center has successfully fended off its share of the types of IT security attacks the healthcare industry is typically seeing today. From its first security risk assessment in 1996, after HIPAA went into effect, to the ongoing technology security efforts taking place at the hospital today, Wyoming Medical Center has learned that investing in IT security is not only feasible on tight budgets, but also necessary if a healthcare system wants to maintain its reputation for putting patients first
Wyoming Medical Center successfully held off attacks on its firewall first from Russia, then from Brazil. However, an initial IT security risk assessment revealed that the medical center was at risk not only from outside attacks that put patient information at risk, but also from internal threats, whether intentional (e.g., by a disgruntled employee trying to cause harm) or purely accidental.
Although Wyoming Medical Center had limited resources and staffing to stay on top of the quickly evolving technology, its leaders decided IT security should be a top priority. They pledged that the organization’s patients would leave the hospital in better condition than when they came—with the security of their data assured
Likening an IT security initiative to bringing in an outside auditor for financial audits, the medical center contracted with an IT consultant for a more thorough risk assessment to identify immediate trouble spots and to enhance the security of its IT network. The audit flagged a host of high-risk items the organization’s leaders never suspected existed, such as lack of a disaster recovery plan and passwords that were not as secure as they should be in a healthcare provider setting.
In the first year, Wyoming Medical Center set to work to fix each of the high-risk items. Some of the fixes, it found, were easy, such as strengthening employee password requirements. Others required capital investment, such as enhancing the physical security of the data center and updating data switches. The issue became one of risk acceptance or risk avoidance: Once the cracks in the organization’s IT security foundation were exposed, both the finance and IT departments weighed questions regarding which cracks represented the greatest threat and how much staff and revenue the medical center could spare to mend the potential points of breach. Ultimately, areas with the highest risk were funded and addressed right away, while other problems were considered for the next budget cycle.
Among the other first steps, the medical center created a disaster recovery plan that mapped out where the most critical data were in the system and outlined a plan to protect and manage that data. It also created a business continuity plan that prioritized which computer systems were needed immediately to keep the medical center functioning and which systems could wait to go back up. The cost of the initiative was less than the cost of having a full-time IT security officer.
Training staff on IT security and the importance of password management became the norm, with hospital officials using as examples other hospitals that didn’t get it right. Beyond formal training, the CIO and others provided informal training, explaining to staff why data security was important (and not just because of HIPAA security requirements). The organization now conducts annual IT security training for all employees.
From this experience, Wyoming Medical Center identified four best practices that other healthcare organizations should consider adopting to enhance their own IT security and lower their risk for data breaches.
Conduct an objective, thorough risk analysis of IT security. Wyoming Medical Center’s leaders were blind to many of the IT challenges that faced their organization, which made it critically important for them to perform an objective, thorough risk analysis. Such an analysis should peel back and test every layer of IT security—from administrative to technological needs—with a fresh eye toward how the system functions for staff and which areas should receive greater attention. Then, priorities should be set among IT security risks, and each area of risk should be addressed until the organization achieves the level of protection and compliance recommended in its risk assessment.
There are no do-overs when it comes to IT security, so cutting corners should be avoided. A data breach can be costly to the hospital’s finances and credibility, but a virus introduced into vital surgical or intervention radiology could prove deadly. Doing the right thing always has a cost, whether in terms of people, technology, or capital, yet it’s a cost that no hospital should hesitate to assume. Wyoming Medical Center discovered that IT security, if managed correctly, can actually lower costs by avoiding the expense of unexpected outages resulting from a poorly managed system. The key is budgeting and planning ahead of time for IT needs. Those organizations that do not achieve an acceptable level of maintenance risk falling victim to a virus that attacks a large portion of their network.
Investment in IT security should not be a one-time initiative. Both technology and threats are continually evolving, which means a hospital or health system’s IT security efforts should adapt regularly to keep pace with change. Since 2005, Wyoming Medical Center has undertaken an annual assessment to stay on top of changes in IT hardware and software as well as new regulations and concerns.
Be creative in your approach to IT security. To augment a small internal security staff, Wyoming Medical Center considered many creative options, including managed security services and strategic partnerships. Once the medical center found that it lacked the budget to hire a certified IT security specialist, it chose to invest in managed security services to meet its IT needs more fully. In addition to annual risk analysis and continued network and system vulnerability testing, Wyoming Medical Center receives on-call support day and night.
For Wyoming Medical Center, all the lessons and efforts have paid off. The work Wyoming Medical Center did ultimately withstood a test of its IT effectiveness. A complaint about a possible privacy violation by the hospital was made to the Office for Civil Rights. That complaint wasn’t validated. The hospital’s policies and procedures worked exactly as designed. The organization also has never had a data breach of any kind.
Don Claunch is senior vice president and CFO, Wyoming Medical Center, Casper, Wyo., and a member of HFMA’s Wyoming Chapter.
Mac McMillan, CISSP, is cofounder and CEO, CynergisTek Inc., Austin, Texas.
Balancing the Costs and Benefits of IT Security
Many organizations view IT security in terms of a traditional ROI. Calculating the ROI of IT security is not easy, because it does not directly generate revenue, but it is possible to examine the potential costs of an ineffective program and a breach of protected health information.
The most apparent financial threat of a healthcare data breach comes in the form of fines issued according to HIPAA regulations. At an average cost of about $200 per record, any sizeable breach can result in immediate and substantial losses.
Another direct financial threat involves litigation. To date, numerous class action lawsuits have been filed against healthcare organizations that have suffered breaches. Although it is not easy to predict the potential damages incurred as a result of legal action following a breach, losses often fall in the range of several million dollars.
For example, as a result of the October 2011 data breach experienced by Sutter Health in Sacramento, Calif., involving the theft of a password-protected, unencrypted desktop computer from a Sutter Health administrative office, 11 class action lawsuits have been filed against the organization. If successful, the lawsuits ultimately could cost the organization between $944 million and $4.25 billion, not including attorney fees and court costs.
In 2013 and beyond, data breach lawsuits will likely seek compensation for more than harm alone. In fact, many of the more recently filed lawsuits allege negligence and breach of contract as opposed to just harm, as the earlier suits alleged. Courts dismissed many of those earlier lawsuits, but the recent ones are being heard, creating significant financial risk for healthcare organizations that have not adequately protected themselves against a data breach.
Beyond these concerns, a large data breach can damage an organization’s reputation, with potentially disastrous results.
Other tangible and intangible costs associated with having a breach are not insignificant, such as fees for outside forensic or investigative support, fees for victim credit protection support, lost operational time for staff members involved in incident response and cleanup activities, and the cost of notifications. It is not uncommon for data breaches to cost between $4 million and $7 million, and response and cleanup alone can easily amount to hundreds of thousands of dollars.
For healthcare CEOS and CFOs, setting priorities among IT security investment involves balancing resources and the cost of staffing, whether internal specialists or outside consultants, against the potential costs to the organization should the organization’s IT security system fail.
Publication Date: Wednesday, May 01, 2013