We have all seen the movie scene:
It is dark. The opposition is all around us; no one knows precisely where, how many, or how powerful. You are hunkered down.
It is silent. And then, a crack echoes out in the dark as one of your teammates steps on a branch. Lights go on, flares fill the sky. We've unwittingly caused an attack.
Similarly, your data is encrypted. Your EHR requires two factor authentication. Your team is trying its best to get the work done. And then, crack! A well meaning provider sends a photo of a patient via text.
We're all too aware of what can happen when HIPAA is violated by something as simple as a doctor texting a picture of a patient. Fines for a single HIPAA violation have reached $5 million dollars. The Joint Commission completely rejects texting, even secure texting as safe for data. And the risks for individual providers as well as organizations are sky-high.
But our colleagues continue to text and email patient data and patient photos -- as if the rules (or the consequences) don't apply to them. Hospital administrators are taking dramatic and well-organized precautions against HIPAA breaches. But providers, many times, don't seem cognizant of the costs of their actions.
So I was really appreciative of a well-researched study that came out recently, by the Ponemon Institute LLC, via their research sponsored by IBM Security. Their study looked at 419 companies in 13 country samples and measured the costs of data breaches. As the authors say, “We define a compromised record as one that identifies the natural person whose information has been lost or stolen in a data breach.” Their findings emphasize just how devastating a breach (including the kind caused by a doctor sending an "innocent" text about a patient) can be for an organization.
Their findings: the average cost of a data breach is $3.62 million. The US is, by far, the most expensive place to have a data breach. The costs are absolutely huge — almost twice the global average.
Further, the cost of a data breach in the Health sector is dramatically higher than it is (almost twice) in any other sector:
Of special interest to me is that the study used the data to predict the likelihood that an organization will have a data breach in the next 24 months. Based on the data set and the number of breaches that have occurred, the researchers find that organizations have a 27.7% chance of having a data breach in the next 24 months.
To me, that means that it's not a question of whether your organization will have a data breach -- but when it will have a data breach. And it's not a question of whether your texting of patient data can have a consequence, but simply when you will experience that consequence.
In fact, hackers and malicious attacks get a lot of press, but 28% of breaches are caused by human error.
We certainly understand that the day-to-day of medical practice can be overwhelming enough, without having to worry about patient data. But the evidence that this problem is urgent and (in large part) in our hands is too weighty to ignore.
There is technology that will let you share patient information and patient photos in a secure, HIPAA compliant way. iClickCare is a simple tool to let you do that, using your own smartphone. It's affordable, and it's fast -- and the consequences of doing anything else are simply too large.
If you're concerned about HIPAA data breaches in your organization, get the information to keep you safe. Download a free HIPAA checklist and toolkit here:
Top photo by Mareks Steins on Unsplash. Graph photos used courtesy of the Ponemon Institute LLC, via their research sponsored by IBM Security.