Data Security – Pay Now or Pay (More) Later

As we enter the era of Meaningful Use, we are truly seeing an increased realization of the central role that IT plays in provider strategic planning.  Happily, we are also starting see recognition from many corners of healthcare organizations of the wisdom of making targeted, shrewd, IT investments as down payments on organizations’ futures.

And that is good news.  But some of the challenges that IT departments have historically encountered, when presenting business cases for IT systems in a constrained capital environment, still remain – though their “centers of gravity” may have shifted.  As capital may flow to procure certified systems that can lead an organization to Meaningful Use, capital likewise needs to flow in order to build appropriate security infrastructures around all the electronic patient data in those systems or the consequences of not funding this can be devastating and, sometimes, irreparable.

We hear on the news on a regular basis about how hackers have compromised various corporate systems and gotten their hands on sensitive financial data. Companies who have had their systems compromised suffer great financial losses in terms of the costs of credit monitoring, notifications and other incidental costs, but often suffer greater and harder-to-recover-from losses in terms of trust and goodwill.  There have been cases of companies that wound up having to go out of business as a direct result of even a relatively minor data breach.  To put some numbers around this, according to a study done in 2008 by the Ponemon Institute, a privacy and data-protection research group, and PGP, a data-encryption vendor, the average cost of a data breach to the organization responsible is $6.75 million, and the average cost per record for a data breach is $204.

Healthcare systems, being in the position of being repositories for some of the most sensitive data one can imagine about many, many human beings, have a unique obligation for both selfish and selfless reasons, to take all steps possible to hold patients’ electronic protected health information (ePHI) sacrosanct.  There are many ways to do this, and the new HITECH legislation puts a lot of teeth into the HIPAA rules that mandate providers to keep data secure.  Data breaches involving over 500 patients have to be reported to CMS and generally have to be reported to the major media outlet in the hospital’s operating market.  Think of the damage that a prominent media report can do about a data breach emanating from your facility.  It is profound and often irreversible.

Healthcare providers need to take all necessary steps to ensure that any ePHI data that is leaving or entering its facility be encrypted, so no one can casually hack into it and intercept it.  All laptops or thumb drives that might conceivably contain ePHI need to have encryption built into them, so that in the event those devices are lost or stolen, no critical ePHI can be compromised by the wrong people.  Even behind an institution’s firewall, there exists a threat of a “breach from within” by employees or contractors. Pains must be taken to protect “data at rest” residing on servers.

To visualize this at its most basic level, picture back-up tapes containing ePHI falling off the back of a truck on their way to an off-site storage facility and someone picking those tapes up and reading them.  As a leader in your organization, do you want to roll the dice and hope your institution isn’t permanently damaged as a result of a breach, or do you want to make the necessary investments now to protect your organization from this type of grave risk?