October 27, 2021

Volume XI, Number 300

Advertisement
Advertisement

October 27, 2021

Subscribe to Latest Legal News and Analysis

October 26, 2021

Subscribe to Latest Legal News and Analysis

October 25, 2021

Subscribe to Latest Legal News and Analysis

Doctor, Heal Thyself: The Importance of Cybersecurity for the Health Sector

When you are attentively (?) listening to the security announcements before a flight, they instruct each passenger to put their own oxygen mask on first, before helping others. The rationale is understandable in an emergency situation, and whether the health sector recognizes it or not, the cybersecurity of many healthcare organizations is at a critical, emergency stage. The solution to this is not necessarily spending more money on cybersecurity investment, but rather using appropriate safeguards and focusing on their effectiveness.

In 2018, over 15 million health records were breached. That number was dwarfed in the first half of 2019 when 32 million records were compromised. Admittedly, one of these was a whopper — the American Medical Collection Agency had 24 million records stolen — and soon after AMCA filed for bankruptcy. So much for the callous thinking that breaches are simply a cost of doing business.

The crisis that the health sector must address is that the average cost per breached health record is $429 according to the IBM 2019 Cost of a Data Breach Report. The second highest record cost is for the financial services sector, but IBM reports that this is less than half the cost of health at $210 each. Why is that, given the highly regulated nature of these two sectors? One aspect is certainly investments in security. Healthcare Finance News reported in July 2019 that the health sector typically invests 4-7% of revenue in cybersecurity, while the financial services sector is in the 15% range.

Whether healthcare organizations and their business associates choose to increase their investments, the real shift of perspective needs to be how security is built into operations. Coming back to the oxygen mask, security within healthcare must become like breathing: it’s automatic, and not a bolt-on.

The best way to do this is to start with an assessment of how defensible an organization’s security posture is. Security and the associated administrative, technical, and physical components must not only effectively defend against most attacks but must also be sufficiently systematic so that the likely inquiry from the HHS Office of Civil Rights or state attorneys general will be satisfied that the organization was doing all the right things. While that will not deter the plaintiffs bar and their class action complaints, OCR, the FTC, and other regulators understand that there is no such thing as perfect security.

A security assessment (preferably coordinated with security consultants for the more technical review) will also deliver an independent, privileged view of gaps and opportunities for improvement. Because the fact of life is that organizations will be hacked, will lose PHI, and will be scrutinized. In the end, the health sector needs to fix its weaknesses before valuable resources are involuntarily shifted to crisis management, litigation, and regulatory fines.

Copyright © 2021 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume X, Number 63
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Peter McLaughlin Privacy & Data Attorney Womble Bond
Partner

Peter McLaughlin is a Privacy & Data Security attorney who advises clients with respect to a broad range of technology transactions, privacy and security issues. While maintaining a broad privacy practice, Peter focuses on innovative uses of data, especially with the life sciences and digital health sectors. He also guides clients in their domestic and international handling of personal information; new product development; and the assessment of legally defensible cybersecurity programs. The Legal 500 has recognized Peter’s work in the area of data protection and...

857.287.3113
Advertisement
Advertisement
Advertisement