Following last week’s announcement of the results of this year’s healthcare cybercrime cost study by the Ponemon Institute/HP, Accenture has analyzed Ponemon’s data (along with OCR breach reports) and has calculated new projections for the cost of cybercrime for the next five years, suggesting the losses will rise to a staggering $305 billion by 2019.
Furthermore, 25 million patients will become victims of medical identity theft and they will incur out of pocket expenses as a result of the exposure of their PHI in healthcare data breaches. Those individuals will be required to cover costs of $56 billion over the next five years.
Healthcare Cybercrime Cost Projections Paint a Worrying Picture
The projections suggest 1 in 13 patients will become victims of identity theft and 4 million will be victimized and have to cover identity theft costs. Accenture says healthcare providers will “risk losing substantial revenues and patients as a result of medical identity theft.”
It is not too late to prevent a substantial proportion of these healthcare cybercrime costs from being incurred, but for that to happen, healthcare providers – and other HIPAA-covered entities – must take action now. Cybersecurity protections must be improved, policies developed to tackle insider breaches, and portable devices need to be properly secured.
If sufficient safeguards are implemented to keep patient data secure, Accenture’s research suggests that it is possible to decrease the risk of suffering data breaches by up to 53%. Unfortunately, Accenture says at the present time healthcare providers are simply not prepared to deal with data breaches when they do occur. And occur they will.
It is not only important to implement defenses to reduce the risk of suffering cyberattacks. An efficient and effective data breach response plan must also be put in place. The response plan cannot be set in stone, as it must be assessed to determine not only if it is working, but how well it is working. After a data breach has been suffered, healthcare organizations must implement their data breach response procedures immediately. After damage and risk have been mitigated, it is essential to conduct a review of how well the breach response has worked, and what policies need to be tweaked or totally reworked.
According to Accenture’s managing director of global healthcare business, Kaveh Safavi, M.D., J.D., “In the end, when a breach occurs, the goal is not to say ‘what is our plan,’ but, ‘how is our plan working?’”
This is critical. Following any data breach there will be fallout. Patients are now more willing to change healthcare providers that fail to protect their PHI. Safevi points out, “What most health systems don’t realize is that many patients will suffer personal financial loss as a result of cyberattacks on medical information.” He went on to say, “If healthcare providers are complacent to safeguarding personal information, they’ll risk losing substantial revenues and patients as a result of medical identity theft.”
Healthcare Data Breaches Have Resulted in Public Distrust in the Ability of Businesses to Secure Data
Accenture’s research suggests that the high volume of healthcare data breaches suffered in recent years has resulted in public distrust of businesses. The same applies to healthcare providers. It may not be quite so easy to change healthcare providers as it is to switch other service providers, but when patients lose trust in their healthcare providers’ ability to keep their confidential data secure, and the exposure of that data results in considerable out of pocket expenses being incurred, there is a considerable incentive for those patients to take their business elsewhere.
A failure to address risks and effectively and efficiently deal with the repercussions of a data breach could well see substantial losses in healthcare providers’ revenues as patients switch providers in droves. That could have serious repercussions for healthcare providers.