Data Breach Preparedness Found to be Lacking

Health IT professionals may be able to keep hospital systems operational, but data breach preparedness is nowhere near where it should be.

In an ideal world – and with a limitless supply of cash – healthcare computer networks would be nigh on impregnable. Unfortunately, health IT professionals do not live in an ideal world and they have very limited funds: Funds that do not even cover general operations and development work. Developing policies and procedures to cope with a data breach just simply doesn’t make it onto the To Do List.

Unfortunately for IT professionals, the C-Suite tends to start pointing fingers at IT if a data breach is suffered. Being unprepared is not an option.

Healthcare Data Breach Preparedness

The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to make preparations for the worst. No matter how good an organization’s security defenses are, a data breach will be suffered. It is therefore important to be prepared. HIPAA requires all covered entities to issue data breach notification letters to breach victims, and reports must be submitted to the HHS’ Office for Civil Rights and state attorney generals. Media announcements also need to be made.

While that is not the responsibility of an IT department, before those notifications can be issued, data is needed. HIPAA requires all individuals to be notified, which means they must first be identified. A CE must also provide information of the steps that have been taken to neutralize the risk and that is not always a straightforward process.

If tested policies and procedures are not in place, the 60 day deadline for reporting data breaches can easily be exceeded, and that costs money. The OCR and state attorney generals are fining organizations that fail to comply with the HIPAA Breach Notification Rule or cannot get organized quickly after a data breach.

Survey Highlights Data Breach Preparedness Issues with IT Departments

A recent survey conducted on 283 health IT professional shows that IT departments are woefully unprepared for a data breach, and the necessary quick response is unlikely to happen. According to the survey, responding to a data breach would take time. Restoring data after a malicious attack would take more than 8 hours for 56% of healthcare IT departments.

A data breach could pose a significant problem for the majority of healthcare providers. 82% of IT staff said they were not fully prepared for a disaster recovery incident, yet one in five has suffered a security breach in the past 12 months.

The survey indicates one in three healthcare organizations has experienced data loss in the past 12 months and alarmingly, 39% of respondents said that they had suffered more than five data loss incidents in the last year. Almost 40% suffered an unexplained outage over the course of the last 12 months.

Data breach preparedness is not an option: the healthcare industry is under attack from hackers and the increase in numbers of portable devices mean data breaches are highly likely to occur.

According the MeriTalk report, the hospital data breaches analysed for the report suggest the total cost to the healthcare industry from data breaches is an astonishing $1.6 billion per year, and that figure is increasing fast.

Security breaches were found to cost an average of $810,189 to resolve, data loss incidents cost $807,571 on average and outages were responsible for average losses of $432,000 per incident and an average loss of 57 hours.

Most Common Healthcare Security Breach Causes

  • Viruses & Malware: 58%
  • Outsider Attacks: 42%
  • Loss/Theft of Equipment: 38%
  • User Error: 35%

Main Causes of Lost Healthcare Data

  • Hardware Failure: 51%
  • Power Loss: 49%
  • Loss of Backup Power: 27%

Most Common Causes of Outages

  • Hardware Failure: 65%
  • Power Loss: 49%
  • Software Failures: 31%
  • Data Corruption: 24%

Given the high probability of a data breach occurring, it is essential that healthcare organizations divert the necessary funds to health IT departments to ensure data breach preparations can take place, including having the hardware, software and cloud services to be able to maintain data access at all times, or at least drastically limit delays.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of