How do you prioritize security at your healthcare organization? A lack of focus on security spending is a challenge in healthcare compared to other industries. According to data from the HIMSS Analytic Healthcare IT Security and Risk Management Study, less than 6% of a healthcare organization’s IT budget is allocated to IT security, which is significantly lower compared to other industries. It’s possible that security has been deprioritized to focus on other efforts that streamline operations or bring in revenue. However, the idea that your organization can save money by short-changing your security program is flawed. Cutting corners around security and compliance could actually result in significantly more costs related to maintaining an inefficient security program – or, worse – from cleaning up after a security breach.
Here are some dollars and cents for what you should keep in mind when thinking about security spending at your organization:
Healthcare Data Is Unique and Valuable
Cybercriminals are motivated to sell stolen personal information for profit. While information such as social security numbers are a commodity and sell for $1 on the black market, electronic health data sells for $50 per chart, according to the FBI Cyber Division. At that price point, it’s no wonder cyber criminals target health information. The value of health information can also explain why criminal attacks are the number one cause of data breaches in healthcare. By attacking a healthcare organization, cyber criminals can access medical records as well as personal data like social security numbers and credit card information. Healthcare organizations are essentially a one-stop shop for all the valuable data a hacker could want.
“Checking the Box” On Compliance Isn’t Good Enough
The biggest downfall for any healthcare organization’s security program is to assume that being compliant is enough to protect from a breach. Security and compliance are not the same thing. While some compliance frameworks do a good job of raising awareness and creating a baseline of security for organizations to follow, simply checking off the box on compliance does not mean you are secure. Your organization and your data are still exposed to risks.
Make sure you understand the difference between security and compliance, and develop a security program that couples a strong compliance plan with a thorough and intelligent security agenda.
You Think Security Is Expensive? How About a Breach?
Trying to save money on your security program won’t pay off in the long-run. A global study from the Ponemon Institute shows that the average cost of a data breach is $3.62 million. The study also notes that a criminal or malicious attack – the most common type of breach in healthcare – is costlier than a breach caused by system glitch or human error. That’s not all – healthcare still has more to think about compared to other industries. While it is estimated that the average cost per lost or stolen record is $141 across industries, the average cost per stolen record in healthcare is $380.
And Now There’s Ransomware to Worry About
Recent ransomware attacks have organizations around the world on edge about the security of their data. It’s important that healthcare organizations understand why they are especially vulnerable to these kinds of attacks. Cybercriminals know that healthcare organizations are under more pressure to get their systems back up and running because patient lives are at stake. Plus, with larger, complex organizations with multiple systems, it may take longer to identify the source of an attack and shut it down. There is a lot of value in attacking healthcare organizations for cybercriminals because there is a high likelihood of receiving ransom payment.
Don’t cut costs in the area where it could cost you the most. Invest time, money and resources into developing a comprehensive security program that includes security and compliance, and only work with partners who prioritize security and are proven leaders in security and compliance for healthcare organizations.
Learn more about the difference between security and compliance in healthcare: [On-Demand Webinar] PCI, EMV, HIPAA and More: Making Sense of Security and Compliance for Healthcare Payments