Gamblers spend years and fortunes trying to “beat the odds” often to no avail. They know they are taking a major risk but they are looking for the big payoff.
If you are a numbers person, you boil things down to statistics or dollars and cents. Those numbers help you make decisions based on how many dollars (or whatever you value) you can risk.
If you aren’t serious about managing your security these days you either have not run the numbers completely or for some reason think there is a big payoff out there for getting by without one.
In 2011, The Poneman Institute stated in their annual report on data breaches that any organization’s likelihood of experiencing a breach of data over a 12-month period was a “statistical certainty”. Let’s just say things aren’t getting dramatically better on that front in 2014. Let’s look at some numbers.
Last week Poneman released their Fourth Annual Patient Privacy and Data Security study. They conducted 388 interviews with 91 different Covered Entities. Some good news but…..
- The number of data breaches decrease slightly. But, the decline is because in last year’s report 45 percent of organizations had more than 5 breaches but this year that number dropped to 38%. There are fewer reports of more than 5 breaches in the reporting period. Not necessarily fewer organizations with breaches.
- Based on the reported data the average economic impact of data breaches over the past two years for the healthcare organizations represented in this study showed a decrease of almost $400,000 or 17 percent since last year. But, it is still $2.0 million.
- Half of healthcare organizations are compliant with the post-incident risk assessment requirement in the Final Rule. But, 49% say they are not compliant or only partially and 39% don’t think what they have is really good enough.
- Ninety percent of healthcare organizations in the study have had at least one data breach in the past two years.
- Criminal attacks on healthcare organizations increased 100 percent since 2010.
- Employee negligence is still considered the biggest security risk.
- Seventy-three percent of organizations have little or no faith that their business associates would be able to detect, perform an incident risk assessment and notify their organization in the event of a data breach incident as required under the business associate agreement. The business associates Ponemon Institute: Private & Confidential Report states: they worry most about are IT service providers, claims processor and benefits management. Only 30 percent any confidence that their business associates are appropriately safeguarding patient data as required under the Final Rule.
These numbers make it clear that HIPAA Breach, Security and Privacy Rules are really needed in order to protect your patients, as well as your business, in this brave new world. Even then, you could still have a breach but at least you are making an effort to prevent or reduce them.
Also, all you Business Associates out there should take note and proactively show your clients you respect and accept the responsibilities you have to be properly compliant.
Security shouldn’t be an afterthought or considered just a hassle. It is a central part of doing business today unless, of course, you function only with insecure data using paper and no computers.