Written by: Jeremy Maxwell, Vice President and Chief Security Officer, Veradigm and Cheryl Reifsnyder, PhD
Over the past several years, the number of data breaches in healthcare has been climbing steadily. Global cyberattacks increased an average of 38% for all industries from 2021 to 2022, and the increase is even greater in healthcare. During the same period, healthcare organizations averaged 1,463 cyberattacks per week worldwide—an increase of 74%—while U.S. healthcare organization cyberattacks increased 86% to average 1,410 per week.
Practices are not only seeing increased numbers of cyberattacks; today’s cyberattacks are increasingly sophisticated. More and more often, a cyberattack can negatively impact patient care, interfere with business operations, expose sensitive health information, and negatively affect a practice’s reputation.
In this article, we will look at the potential costs of a data breach—and the relevance of these costs to smaller practices. Keep reading to learn how to protect your practice in a landscape of soaring cybersecurity risk.
IBM Security® publishes an annual Cost of a Data Breach report, the most recent of which was based on more than 3,600 interviews of individuals from 17 different industries, all of whom were impacted by data breaches occurring between March 2021 and March 2022. This report showed that the average cost of a data breach in healthcare has risen to more than $10 million, making data breaches in healthcare the costliest of all industries for the 12th consecutive year. The 2022 reported cost ($10.1 million) represents a 9.4% increase from the 2021 cost of $9.23 million and an increase of over 40% from 2020.
Compromised data in healthcare also have a higher cost per record—approximately $250—than in any other industry.
There are numerous factors contributing to healthcare’s higher data breach cost. The cost of an individual data breach will vary depending on the number of patient records compromised. It will also depend on whether the government determines the breach is a result of willful neglect. For a practice that failed to have strong security measures in place, each HIPAA violation can result in fines between $100 and $50,000 per patient record exposed, up to a cap of $1.5 million. If the breach was the result of a violation of the Security Rule, the practice could also be fined up to $50,000 for each day that the violation continued, subject to a separate cap of $1.5 million per calendar year.
Lost business contributes to a data breach’s cost as well. A data breach can cause business disruption and loss of revenue from system downtime. It can also cause loss of reputation and diminished goodwill, which can result in the loss of customers. Attempts to minimize this loss of customers and business disruption generate additional costs, as do efforts to acquire new customers.
Usually, practices must notify state and federal authorities of a breach. They also need to notify each patient individually, which costs about $4 per patient. In addition, patients must be provided with credit monitoring services to help protect them against identity theft. This costs approximately $10 per patient, or about $27,000 for the average size data breach.
In the past, data breaches primarily targeted larger healthcare systems—but that’s no longer the case. Now, the increasing risk of cybersecurity attacks plagues medical practices of all sizes nationwide. This is both because patient data are extremely valuable and because smaller practices are often more vulnerable. A smaller medical practice may be poorly equipped to deal with cyberattacks—making them a more attractive target. Their IT staff may be small in size or outsourced, or their designated HIPAA security officer may have additional responsibilities, such as practice administration, distracting them from cybersecurity.
As a result, hackers are increasingly targeting smaller physician groups. According to a report from cybersecurity firm Critical Insight, the number of attacks on physician groups rose from 2% of all healthcare cyberattacks in the first half of 2021 to 12% in the first half of 2022.
One reason for this increase may be increased attacks on electronic health record (EHR) systems through business associates (BAs) and third-party vendors; in the first 8 months of 2022, BAs accounted for 15% of all breaches. However, the ramifications of a data breach—in terms of fines, required remediation, negative publicity, decreased credibility, and increased cost of cybersecurity insurance, to name a few—are the same for the practice, whether hackers gain access directly or through a BA.
As Federal law requires providers to report data breaches involving as few as 501 patients to the media, small practices aren’t immune to the negative publicity a data breach can generate. Once local media learns of the incident, even small practices may face lawsuits and the associated expenses. When the media reports the breach to the public, the resulting damage to the practice’s reputation can cause a significant loss of revenue.
The threat landscape for data breaches has become increasingly complex for medical practices of all sizes, requiring practices to constantly be on high alert to protect, detect, and remediate threats. Unfortunately, attackers will only continue to grow more innovative and more strategic. It is essential for practices to empower their IT teams or security operation teams with the ability to defend against evolving attacks with an integrated platform strategy; at the same time, they need to stay current with the knowledge and skills needed to detect attacks more quickly and remediate them more effectively when attacks do occur.
One way to do this is through the Veradigm Ambulatory Suite; our platforms are built using Microsoft Azure cloud infrastructure, which means that downtime and service interruptions are rare. Data from January 2021 to June 2021 showed that all shared client bases experienced 100% uptime.1 This is because, with Microsoft Azure, Microsoft owns the data platform, the Operating System, and the cloud infrastructure. This leads to a decrease in the average time needed to respond to threats. “By simplifying security, we are making clients more secure, more able to protect/defend/respond, thus empowering organizations’ security systems,” says Joseph Davis, Chief Security Advisor at Microsoft, in an interview with Jeremy Maxwell, Vice President and Chief Security Officer at Veradigm.
When clients use Veradigm hosting services, these solutions are hosted using the Microsoft Azure platform. Veradigm takes our security & privacy responsibilities as a business associate seriously. Within our hosting environments, Microsoft Azure provides the latest encryption technologies to protect both internal data and data in transit to and from external sources. Microsoft is reliable and secure, giving practices peace of mind knowing that Protected Health Information (PHI) and other sensitive information is protected.
Cloud hosting of Veradigm solutions with Microsoft Azure also alleviates the burden of managing a complex IT infrastructure at your practice, enabling your users to focus on their top priority: patient care. Veradigm’s cloud-based deployment model provides a more robust IT infrastructure, positioning practices to respond rapidly when patient volumes rise, regulatory requirements evolve, or payment models change. In addition, Veradigm handles all upgrades and system expansions—increasing your budget predictability by eliminating the need for hardware maintenance, depreciation, and the costs of an on-premises data center.
Contact us today to learn more about how Veradigm’s solutions, hosted using the cloud-based Microsoft Azure platform, can help protect your practice against the increasing risk of data breaches.
References: