The healthcare industry led the nation in regulations for information security. In an effort to protect private health information (PHI), healthcare organizations are required to protect patient data against any reasonably anticipate threats or hazards. You are required to perform risk assessments, but knowing your risk is not enough. Steps must be taken to fix issues and prevent data loss. Most other industries and states are joining the bandwagon with regulations of their own. The basics are the same: do your due diligence to protect data or face the consequences.
The Breach
The University of Rochester Medical Center (URMC) recently agreed to a $3,000,000 settlement with the Office of Civil Rights (OCR). URMC reported data loss in 2013 when an unencrypted flash drive was lost. They again reported a breach when a personal laptop with unencrypted ePHI was stolen from a treatment facility. The fine may seem steep when you think that only 43 patients’ data was on the stolen laptop. The bigger issue, however, was the lack of progress in breach prevention from the first to the second incident.
The Cost
Beyond the fine to the OCR, breaches can cost a company much more. According to the IBM Security Cost of a Data Breach Report 2019, healthcare is the industry with the highest average cost at $6.45 million, not including fines. Lost business was the largest contributing factor to this total, accounting for 36% of the total cost. Other factors include detection and reporting, notification of affected parties and post breach clean up.
Corrective Action
The list of requirements mandated by the OCR look very similar to the actions that are expected to prevent the breach in the first place.
- Conduct a Risk Analysis
- Implement a Risk Management Plan
- Implement customized Policies and Procedures
- Train your staff
- Create and maintain a body of compliance evidence
Prevention is always cheaper
URMC is facing a guaranteed loss of $3,000,000 plus other expenses in breach clean up, notification and potential loss of business. The cost of our cyber risk management from assessment, reporting and remediation starts at $699/year for a small organization. Our automated tool, CyberCompass™, puts you in charge of your cyber risk, cybersecurity and compliance. Addressing all the requirements listed above, we also save you 70% of the typical cost, time and effort. An easy to use dashboard prioritizes your corrective actions, allowing you to work through them at your own pace. With built in regulations for most industries, start your move toward Cyber Confidence® today.
Contact Us for more details or visit thirdrock.cybercompass.co