One Security Breach per Day Now in Healthcare


Health 2017 Consumer Survey

Healthcare Data Breach Incidents Are Soaring

In 2016, healthcare data breaches had risen to an average of one significant breach per day, and 2017 is on track to exceed that grim milestone. According to the 2017 Protenus “Breach Barometer” mid-year report [pdf, 22Mb], healthcare is suffering from an onslaught of breaches that shows no signs of letting up. Developers should take note and do all they can to ensure their systems, devices and data are as secure as possible. The costs of failure are climbing right along with the number of breaches.

Breach Statistics Are Telling

Available data tells us that the impacts of health data breaches are enormous. And these impacts are being felt by consumers as well as by the healthcare industry itself:

  • The total number of individuals affected by healthcare breaches was about 31.5 million in 2014. But by August, 2017 that total had risen to about 175 million.
  • In the recent past, lost or stolen unencrypted devices such as laptops and portable drives were responsible for the largest portion of healthcare breaches. During the past two years however, hacking and IT “incidents” have overtaken device theft as the leading cause of breaches under investigation by the OCR, HIPAA’s primary enforcer.
  • According a 2017 Accenture Survey, one out of every four US consumers has had their healthcare data stolen. And about half of all such breaches resulted in identity theft.
  • Healthcare breaches were most likely to occur is hospitals (36%), followed by urgent-care clinics (22%), pharmacies (22%), physicians’ offices (21%) and health insurers (21%).
  • According the Ponemon Institute, the average cost associated with a healthcare data breach are now at $380 per record, a small decline from previous year’s costs.

Indirect Breach Costs Are Adding Up as Well

According to another Protenus report, indirect costs associated with healthcare breaches are also taking a toll on the industry:

  • Forensics costs associated with health data breaches average about $610,000 per incident.
  • Breach notification costs, on average, $560,000 per breach.
  • Costs associated with lawsuits related to healthcare breaches average $880,000 per incident.
  • Protenus found that every breach results in the loss of approximately $3.7 million in lost revenue, while Accenture estimates lost revenue could be up to $113 million over the long-term.
  • Healthcare organizations also suffer lost brand value after significant breaches, with Ponemon estimating an average loss of $500,000.
  • Post breach cleanup costs average about $440,000 per incident.
  • The average OCR penalty recently is $1.1 million for organizations that are found to be at fault.

What Can Developers Do to Minimize Breach Risks and Costs?

Clearly, with health data breaches rising and new malware constantly being deployed, software and device developers must take appropriate steps to minimize their chances of creating or allowing breaches. The following actions are recommended to help developers better protect health data and prevent breaches:

  1. Become and Remain Fully HIPAA Compliant – HIPAA may seem to be nothing more than a regulatory burden and a headache to some. In fact, HIPAA is a compilation of established ‘good’ and ‘best’ IT and business practices that, when fully implemented, dramatically reduces the odds of data breaches.
  2. Monitor Your Business Associates Closely – While BAs contribute only about 20 percent of the total number of reported breaches, they are responsible for about half of the largest breaches, and a very large portion of the overall number of breached records. While developers are typically BAs themselves, they should be keenly aware of the terms in every BA Agreement they sign. In addition, developers should be monitoring all their BAs for compliance with BA Agreements and watching for telltale ‘red flags’ that could provide early warning of privacy or security problems.
  3. Encrypt Everything – Developers should never forget that, according to HIPAA Regulations, properly encrypted data that is lost, stolen or compromised does NOT require breach notification. Stop wondering which records or database tables to encrypt and encrypt everything containing health data, including all data at rest and data in-transit. Build the additional cost into your business models.
  4. Practice Good Data Governance Principles – Investors and large hospitals understand that good data governance is far more than a catchphrase. Data governance is a corporate philosophy that establishes a culture of data privacy and security awareness throughout an organization, from the CEO down to the hourly worker. Good data governance reduces the odds of an organization suffering a data breach – and it’s very expensive consequences.

Software and device developers in the healthcare space should take the alarming rise in breaches, and breach costs, as a wake-up call to step up their game. While the cost of compliance and data security may seem high, the cost of failure is far higher.


Was this article helpful? Subscribe below to learn more about MedStack and get tips delivered straight to your inbox.