This is an age of rapidly increasing Personal Health Information (PHI) and the role of Chief Information Officer (CIO) has never been more challenging. As companies deal with vast amounts of personal data, they become more susceptible to privacy breaches and the associated costs. Health information technologies aren’t effectively addressing the need for more security, and amendments added to the Health Insurance Portability and Accountability Act (HIPAA) mean the costs for privacy breaches could rise even higher. It is important that CIOs address the challenge of identifying and implementing the right technology, to effectively manage privacy and mitigate the associated risks.
Cost of a Data Breach
Figure 1 below shows the HIPAA categories of violations and the associated penalties—in a given year, up to $1.5 million per violation category and up to $50,000 per breach.
Figure 1: Violation Categories and Penalties
Cost before penalty fees
But HIPAA penalty fees are just the tip of the iceberg when it comes to the potential costs of a privacy breach. A healthcare organization (HCO) with a data breach can also face internal and external investigations, lawsuits, loss of patient trust, loss of future patients, damaged relationships, and credit-monitoring provisions.
According to a 2014 study conducted by Ponemon Institute, 90% of HCOs in the US experienced one or more data breaches in the past two years; 38% had more than 5 incidents. With the average number of stolen records per breach at 2150, and the average cost of one stolen record at $188, this suggests only one breach can have an economic impact of $404,200—much more than the maximum HIPAA penalty for a single breach. The same study showed that more than 47% of HCOs paid more than $500,000 in 2013, and 25% paid more than $1 million in breaches that year (Figure 2.) According to this study, the cost of data breaches to the healthcare industry total about $5.6 billion per year.
For HCOs that fail to protect privacy, the resulting distrust from patients and damage to the organization’s reputation does have economic consequences. Erin McCann, associate editor of Healthcare IT News, has written that, “It’s not just a matter of professional obligation and responsibility. It’s a matter of cost, reputation and the integrity of the patient-provider relationship. IT is waist deep in it all.” 
Figure 2: Economic Impact of Data Breaches in 2013 per HCO in USA
Prevention and Detection
The Ponemon study makes it evident that existing systems do not adequately prevent privacy violations, and do not adequately detect breaches. Standard prevention measures—such as signing privacy contracts, scanning for viruses, and restricting access—are not sufficiently preventing accidental or deliberate misuse of information. 38% of HCOs stated in 2013 they don’t have even standard prevention measures in place .
Without automated breach detection, rapid mitigation becomes almost impossible. Most HCOs can only detect breaches by manual audits, through patient or legal complaints, and accidental exposure (Figure 3). Those are inefficient ways of identifying the misuse of personal information, and they do nothing to prevent it. Even worse, HCOs with just standard prevention measures often remain unaware of a breach until an audit occurs.
Figure 3: Detection of Data Breaches (More than one choice)
A CIO’s Responsibility
Beth Israel Deaconess Medical Center’s CIO, John Halamka, MD, recently said that “a CIO has limited authority but infinite accountability… [So,] how do you reduce risk to the point where government regulators and, more importantly, patients will say, ‘what you have done is reasonable’?”
Without a more sophisticated governance model and more effective privacy implementation, privacy breaches will continue to occur, or even increase in number and severity. To reduce costs, prevent the loss of PHI, and protect reputation, CIOs need a more effective approach to handling PHI.
Products developed with Privacy by Design principles are architected to meet any organization’s governance model. Privacy by Design architectures ensure that exactly the right information goes to the right person at the right time. These products include powerful and flexible privacy, security, and governance features designed to protect personal information. These features include cell-based security, on-demand de-identification and redaction, audit logs, rollbacks, data validation, data immutability, attribute-based access controls, data life cycle management, and much more. Privacy by Design means that all these features are designed into the organization’s datastore from the ground up, letting the CIO define and enforce policy across the entire organization.
There is no magic method that will completely safeguard an organization from a privacy breach. But, there are powerful technologies that can drastically improve on the status quo. The numbers around privacy breaches can and will improve dramatically when proactive CIOs start looking at more powerful and robust options to store, manage, and mine valuable data sets. With proper tools, CIOs can ensure that valued insights are delivered to the appropriate users without risking privacy.
- Ponemon Institute. (2014, March) Fourth Annual Benchmark Study on Patient Privacy & Data Security. Retrieved from http: http://www2.idexpertscorp.com/ponemon-report-on-patient-privacy-data-security-incidents/
- Federal Register. (2013, January 25) Modifications to the HIPPA Privacy, Security, Enforcement, and Breach Notification Rules, 78 (17), (5566- 5702) Retrieved from http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
- McCann, E. (June 4, 2014) Security: Healthcare Fixer-upper. Retrieved from http://www.healthcareitnews.com/news/security-healthcares-fixer-upper?single-page=true