Avoiding the High Cost of BreachesAnalyst Offers List of Preventive Steps
Christopher Hourihan, manager of development and programs at the Health Information Trust Alliance, bases his estimate on the total cost of healthcare breaches on the Ponemon Institute's calculation of an average of $204 in costs for every compromised record, across all industries.
As of Aug. 25, there were 146 cases affecting 4.8 million individuals on the list of major breaches compiled by the Health and Human Services' Office for Civil Rights.
In addition to direct costs -- such as a forensic investigation, modification in security strategies, legal defense and credit protection for victims -- organizations face hefty indirect costs, such as the loss of current and new customers who no longer trust the organization, Hourihan notes.
In an interview, Hourihan outlines key breach prevention steps. They include:
- Conducting a detailed risk analysis. "Focus your limited budget on the highest risk areas," he stresses;
- Encrypting mobile devices and media as well as desktop computers. Although the theft or loss of mobile devices is the leading cause of breaches so far, several incidents have involved the theft of desktop devices, he notes;
- Working with business associates to ensure they take adequate security steps. Relying simply on a business associate agreement "is grossly inadequate," he says. In cases where relatively low risk is involved, organizations should review business associates' documentation of security steps and interview executives about policies and enforcement. In higher-risk scenarios, organizations should consider hiring a third party to review a business associate's security program and develop an action plan
- Educating staff about security procedures and the reasons behind them. For example, physicians, nurses and others should be aware that "a lack of security can affect the safety of patients," such as if their records are altered or unavailable;
- Investigating whether to limit the amount of patient information stored on mobile and desktop devices, relying instead primarily on network drives and other central storage
- Requiring vendors that remotely host electronic health records to spell out their approach to access control, vulnerability management and other security strategies;
- Guarding against data loss, such as by banning file sharing programs on computers. "Make sure people are aware of the risks of downloading from an untrusted website," he says.
Hourihan recently conducted a detailed analysis of breach statistics based on information on 108 breaches reported to federal authorities. That analysis determined, for example, that 20 percent of cases involved business associates.
At HITRUST, Hourihan leads the ongoing development of the Common Security Framework. The framework helps organizations demonstrate security and comply with various regulations, including the HITECH Act and HIPAA.