Good news, kinda sorta, for healthcare compliance professionals worried about data breaches: the total number of reported breaches fell last year, as did the number of patient records exposed; and the portion of breaches caused by accidental disclosure or lost devices fell, too.
Taken altogether, one might even say that all those data privacy efforts your organization undertakes are, ya know, working.
This news comes from Bitglass, an IT security firm that targets the healthcare data market. It released its fourth annual Healthcare Breach Report today, based on data from the U.S. Department of Health & Human Services. HHS maintains a “Wall of Shame” website listing reported breaches of healthcare data.
First, the number of individuals affected by healthcare breaches plummeted from 16.5 million in 2016 to 4.7 million last year — a drop of 72 percent. The decline is even steeper from 2015, although that year includes two “mega-breaches” at Anthem and Premera Blue Cross that totaled more than 100 million records. Exclude those mega=breaches, and the decline from 2015 to 2017 is still 64 percent. See Figure 1, below.
For compliance officers, the most important part of the above chart is the large amount of red compared to those two slivers of blue. Red indicates healthcare records breached via some type of outside hacking. Blue indicates healthcare records breached due to lost or stolen devices (dark blue) or unauthorized disclosure (light blue).
More red, less blue; that’s what this chart shows. And while any breached record is unwelcome, breaches due to outside hackers are primarily the IT security department’s problem. Breaches due to sloppy human error — employees leaving laptops on the subway or answering that phishing email — are the compliance department’s problem. This data suggests that over the last four years, you’re solving it.
Bitglass also says that even as the total number of breaches zigzags somewhere around 300 per year (328 in 2016, 294 last year), the portion of those breaches attributed to hacking has risen steadily. That has pushed the portion of breaches due to other causes down. See Figure 2, below.
The bad news (did you really think a post about data breaches would have no bad news?) is that the cost of remediation per breached record increased, from $316 in 2016 to $380 last year. And the average breach last year compromised more than 16,000 patient records. So that’s a remediation cost of $6.1 million per breach.
Lessons in Breaches
If compliance officers can draw any conclusions from this report, it’s that investment in training, policy, and procedures for awareness of data security risk does lead to results that compliance officers want to see: less human error.
Compliance officers still need to work with IT security departments, especially to understand the number of cloud-based vendors handling personal health information (PHI) on your behalf. (Remember, according to other reports about data security, companies still do a poor job understanding how many third parties access their sensitive data.) Armed with that information, you can then work on improving oversight of those third parties.
And since your CFO or audit committee are bound to ask: How could you bring down those remediation costs, anyway?
Some of those costs are fixed by law and good business practice: providing credit monitoring to affected patients, for example; or sending written notices to all affected parties. You can’t avoid those steps, nor the costs they bring.
Other steps for breach disclosure can be improved over time. For example, the faster you diagnose the severity of a breach, the more quickly you can begin notification to patients. The more uniform your disclosure processes are, the less money it takes to run through them. Yes, the United States has dozens of different breach disclosure regimes at the moment, but the more you can develop a single process to satisfy as many disclosure standards as possible, the more you can keep that cost-per-breached-record down.