Compliance, Cybersecurity

As children, many of us feared nothing more than blemishing our permanent records. Fail a test? That’s going on your permanent record. Get caught napping in class? That’s on your record, too. So as adults, it’s comforting to know that we no longer need to fear these records—we’re in the clear, we’ve made it… Unless we’re in the healthcare field, in which case our failings are publicly posted to the Wall of Shame.

The Department of Health and Human Services’ breach portal (a.k.a. Wall of Shame) is a compilation of breached healthcare companies whose breach affected over 500 people. These breaches often involve PHI, or Protected Health Information, which can involve anything from hospital bills to diagnoses. For a company, the fallout from a breach is bad enough on its own, but inclusion on this list is an additional stamp of, “We’ve messed up.” And messing up is putting it lightly, as a breach can affect revenue, patient trust, and reputation.

The Aftermath of a Breach

Time and Revenue

A breached healthcare provider is going to have a lot to worry about; first, they’ll have to figure out the cause of their breach. Was it an end-user error, a software problem, or a lack of updates and backups? Once they figure out this issue, they’re obligated to take steps to fix it. A solution might mean investing in employee training, buying additional physical or network security devices, or moving their data to an additional platform. It could even mean revamping their security system entirely. Whatever they eventually decide, their solution will take time and money. Most likely, that time and money will be exponentially more costly than if they’d implemented cybersecurity culture from the beginning.

After figuring out what went wrong, a company will need to determine exactly what’s gone missing or been destroyed. Is there a way for them to get their data back? Was the leaked information confidential? Depending on the amount of people affected and the type of data released, a company might be responsible for informing its patients about the breach. However, a simple email isn’t enough—instead, they’ll have to send hundreds of letters via mail.

In postage alone, the costs are exorbitant. And writing and sending this mail can take hours and hours. Additionally, some companies will be fined for their breach. Without the right backup structure, they might have no option but to pay a cybercriminal ransom and hope he’ll release their data. (Interestingly, a good cyber insurance policy will set money aside for things like this in first-party damage, which shows the seriousness of these crimes). The point is, these costs add up quickly. And yet, they’re nothing compared to a company’s potential reputation damage.

Patient Trust and Reputation

Along with fines, a breached healthcare provider will likely find itself on the Wall of Shame. This isn’t a good look for a company; no matter how many new security measures they implement, their former breach will remain public knowledge. Sure, the Wall of Shame updates every two years, but two years is a long time. And even after their name’s removed, a more abstract permanent record will follow them—people talk, and people remember, and they could continue to hold that breach against them.

Patient trust can be difficult to build. It’s even harder to build back up. Additionally, developing a reputation takes time and effort, and a single breach can smear a company’s name indefinitely (if you can’t trust your physician to keep your SSN secured, would you trust them to perform your surgery?). For this reason, HIPAA compliance is important for any healthcare company; although HIPAA isn’t a foolproof system, it’s an integral added defense between a company and cybercriminals.

Why is HIPAA Compliance Important?

Technically speaking, all you need to be HIPAA compliant is a plan covering any gaps in your security—this plan will include specifics about said gaps, such as how/when you plan to fix them. However, compliance doesn’t mean invulnerability, and if you have a breach, you’re still liable for any damages. But if you’re compliant and make good on your plans, you’re less likely to suffer a breach at all.

HIPAA’s standards are so exacting that companies outside of the healthcare field use them as well. Unlike healthcare companies, these other companies aren’t legally obligated; they’ve simply realized that HIPAA works. And if companies are using HIPAA standards for added protection, it only makes sense for the healthcare field to take HIPAA seriously as well. Healthcare employees handle sensitive data daily; although most of these professionals have a general grasp of HIPAA, they need to become better informed about technology and its vulnerabilities.

You don’t want any blemishes on your permanent record, and you don’t want your practice appearing on the Wall of Shame. So, remember: stay awake in class, secure your data, and about all, practice HIPAA compliance.