Topics
Reimbursement
Proposed inpatient payment rates 'woefully inadequate' AHA says
Proposed inpatient payment rates 'woefully inadequate' AHA says
Revenue Cycle Management
Healthcare consumerism: Helping improve the patient payment journey
Healthcare consumerism: Helping improve the patient payment journey
Strategic Planning
Intermountain Health spinoff Culmination Bio announces partnership 
Intermountain spinoff Culmination Bio announces partnership 
Capital Finance
Tech investment must bring value to care delivery
Tech investment must bring value to care delivery
Supply Chain
HIMSSCast: Embrace technology to replace the mundane tasks
HIMSSCast: Embrace technology to replace the mundane tasks
Accounting & Financial Management
Cigna reports $277 million net loss amid VillageMD Clinic asset decrease
Cigna reports $277 million net loss amid VillageMD Clinic asset decrease
Budgeting
Insurers likely to pay $1.1 billion in rebates this fall
Insurers likely to pay $1.1 billion in rebates this fall
Quality and Safety
Hospitals improve their patient experience and infection scores  
Hospitals improve their patient experience and infection scores  
Billing and Collections
No Surprises Act implementation coincided with in-network claims growth
NSA implementation coincided with in-network claims growth
Claims Processing
UnitedHealth's 'band-aid' payment for Change disruption falls short, hospitals say
UnitedHealth's 'band-aid' payment falls short, hospitals say
Workforce
HIMSSCast: The need for home care continues
HIMSSCast: The need for home care continues
Operations
HHS seeks input from payers on Change cyberattack response
HHS seeks input from payers on Change cyberattack response
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
Henry Ford, Michigan State research center to be built for $335 million
Henry Ford, MSU research center to be built for $335M
Compliance & Legal
MGMA wants Change to take responsibility for HIPAA breach notifications
MGMA wants Change to take responsibility for HIPAA breach notifications
Policy and Legislation
HHS strengthens disability discrimination protections
HHS strengthens disability discrimination protections
Community Benefit
Nonprofit hospitals' charity care falling behind tax breaks, report shows
Report: Hospitals' charity care falling behind tax breaks
Accountable Care
Moving beyond financial incentives to engage specialists in ACOs
Moving beyond financial incentives to engage specialists in ACOs
Acute Care
Acute Hospital Care at Home data released 
Acute Hospital Care at Home data released 
Ambulatory Care
Walmart announces closing of clinics and virtual care
Walmart is closing clinics and virtual care
Analytics
Children's Hospital Colorado creates analytics resource center
Children's Hospital Colorado creates analytics resource center
Business Intelligence
Racial disparities put further strain on primary care
Racial disparities further strain primary care
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
CMS overhauls meaningful use EHR program, renames it 'Promoting Interoperability'
CMS overhauls meaningful use as 'Promoting Interoperability'
Medicare & Medicaid
More Medicare enrollees are choosing supplement plans, data shows
More Medicare enrollees are choosing supplement plans
Patient Engagement
Commonwealth Fund creates employer-based health insurance task force
Commonwealth Fund creates health insurance task force
Pharmacy
Evernorth offering Humira biosimilar for $0 out-of-pocket
Evernorth offering Humira biosimilar for $0 out-of-pocket
Population Health
CDC: Hospitals no longer required to report COVID-19 data
CDC: Hospitals no longer required to report COVID-19 data
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Telehealth boosts outcomes, spending, as regulatory flexibilities are in question
Telehealth boosts outcomes, spending
Mergers & Acquisitions
Novant Health and CHS counter FTC bid to block hospital deal
Novant Health and CHS counter FTC bid to block hospital deal
View more
Jul 30, 2019 More on Compliance & Legal

Healthcare's number one financial issue is cybersecurity

The cost of a healthcare breach is about $408 per patient record and that doesn't include the loss of business, productivity and reputation.

Susan Morse, Executive Editor

Cyber attacks affect the finances of every hospital and insurer like no other.

"I've seen estimates of over $5 billion in costs to the healthcare industry annually," said Lisa Rivera, a partner at Bass, Berry and Sims who focuses on healthcare security. "That's enormous and is not going away."

Beyond the cost to find a solution to fix breaches and to settle any civil complaints are fines from the Department of Health and Human Services Office of Civil Rights. In 2018, OCR issued 10 resolutions that totalled $28 million.

The HHS Office of Civil Rights is stepping up breach enforcement of private health information, according to Rivera, who is a former assistant U.S. Attorney and federal prosecutor handling civil and criminal investigations for the Department of Justice.

What officials want to see is that the hospital or insurer has taken reasonable efforts to avoid a breach.

"There is no perfect cybersecurity," Rivera said. "They say it's not perfection, it's reasonable efforts. That's going to require an investment up-front to see where data is located, and educating the workforce on phishing incidents."

Also, hospital finance professionals who are relying more on contractors for revenue cycle management and analytics should take note on the security issues involved in sharing this information.

"Every sector of business has attacks, but healthcare is experiencing the largest growth of cyber attacks because of the nature of its information," Rivera said. "It's more valuable on the dark web."

It's also not easily fixed.

If an individual's credit card is stolen, the consumer can cancel his or her credit card. But in health records, the damage is permanent.

THE IMPACT

Despite the number of breaches, healthcare has been behind other sectors in taking security measures. Four to seven percent of a health system's IT budget is in cybersecurity, compared to about 15% for other sectors such as the financial industry, according to Rivera.

Hospitals are behind because first, it's a challenge to keep up with the move to more information being in electronic form.

"There's no hospital that doesn't have mobile EHR information," Rivera said. "Then there was this transition with incentives from the government to go to electronic medical records. There were vast routes to doing that without a lot of experience involved in doing it. The push to become electronic began happening with this enormous uptick in cyber attacks."

Also, the focus of healthcare has always been patient care. The population health explosion also involves the sharing of information.

And consolidation across the healthcare industry can potentially make covered entities more vulnerable to lapses in security during the transition and integration phases.

RECOMMENDATIONS

The number one way to cut costs is to prevent a breach. Once one has happened, hospitals must be able to identify it as soon as possible and then be able to respond to it.

Hospitals should be able to determine where certain data goes off the rail, Rivera said. For instance, large systems doing research have outcome information that may not be within the system of protection.

"You don't want to learn about a data breach because the FBI saw it on the dark web," Rivera said. And some hospitals have.

It's a constant battle of software updates and checks. Criminals are pinging systems thousands of times a day. It's like locking down doors and windows.

The first thing that's needed for systems large and small is a risk assessment. This is the first thing the OCR wants to see, she said. Many hospitals use an outside vendor to do the job.

Prices for other cybersecurity measures vary from a software purchase that could be in the millions, to having vendor monitoring.

But the cost of a healthcare breach is about $408 per patient record and that doesn't include the loss of business, productivity, reputation and the service disruption.

Hospitals can also purchase cyber insurance, which varies in cost and coverage. Some obtain it for purposes of class action lawsuits.

THE LARGER TREND

OCR enforcement activity during 2018 demonstrates the agency's continued emphasis on enforcing violations of the security risk assessment and risk management requirements, Rivera said.

Covered entities and business associates are required to: conduct a thorough assessment of the threats and vulnerabilities across the enterprise;    implement measures to reduce known threats and vulnerabilities to a reasonable and appropriate level; and ensure that any vendor or other organization accessing or storing private health information is security compliant.
The OCR concluded 2018 with an all-time record year for HIPAA enforcement  activity. The OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This surpassed the previous record of $23.5 million from 2016. 

In addition, OCR also achieved the single largest individual HIPAA settlement  of $16 million with Anthem, representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. Anthem was held responsible for cyber attacks that stole the protected health information of close to 79 million people.

Twitter: @SusanJMorse
Email the writer: susan.morse@himssmedia.com
 

 

News
Ending racism in healthcare often begins with medical education - and is the target of a new national project Ending racism in healthcare often begins with medical education - and is the target of a new national project Inequities can be found in every facet of the industry, but targeting medical students and residents can help stem the tide.