Cybersecurity and compliance: Big problems for smaller companies

In health care, security breach costs about $402 per patient record
 - 
Tuesday, October 22, 2019

ATLANTA – With most security breaches affecting small- and medium-sized businesses—not the Targets of the world—HME providers can’t afford not to prioritize cybersecurity, said speaker Carol Albaugh.

Providers are doing business in an environment where health care recently surpassed finance as the industry most targeted by hackers, said Albaugh, a technical solutions consultant at VGM.

“It’s so rich in the kind of data that hackers are looking to sell on the black market,” she said. “You’re talking about patient names and addresses, their Social Security numbers. With that information, they can open bank accounts and purchase homes. That’s why health care is being targeted.”

The costs of a security breach are huge, Albaugh said: It rings up at about $402 per patient record, causing 60% of companies to go out of business within a year of a breach.

“To think about your risk level, multiply $402 by your number of patient records,” she said. “That’s what’s active, what’s in storage— even your paper records, as well.”

There’s also the cost to a company’s brand, which can result in losing customers and contracts, Albaugh said.

To address cybersecurity concerns, as well as compliance concerns, providers need to have a strong security and risk assessment on file that addresses administrative, physical and technical considerations. When the Office of Civil Rights audits providers, this, as well as business associate agreements, is where the agency tends to focus.

“(OCR) audits are going to pick back up again,” said Kelly Grahovac, a senior consultant at The van Halem Group, “and these were the big ones for fines (in the past).”

When asked what the best practices are for security and risk assessments and whether or not providers should hire a third party, Grahovac said it depends on the level of sophistication of their organization, particularly their IT and security personnel.

Grahovac also advised attendees to return to their assessment with any change to the organization.

“It’s not a one and done,” she said.

Albaugh and Grahovac also emphasized the importance of HIPAA policies and procedures, and employee training.

“Educate, educate and then re-educate,” Albaugh said. “Once a year is not going to cut it.”