It’s the day before Halloween, which means at some point this weekend I will probably tune into one of my all-time favorite horror movies such as Sleepy Hollow, The Conjuring, or any of the Michael Myers classics. But no matter which scary flick I choose, perhaps nothing will be scarier than something I saw recently on healthcare data security.
Here’s what I’m talking about: a report from Accenture found that healthcare providers could potentially lose $305 billion in patient revenue over the next five years due to the impact of cybersecurity attacks. According to a Ponemon Institute survey, cited by Accenture, almost half of patients said they would find a different provider if they were informed that their medical records were stolen.
"Taking into account the estimated lifetime economic value of a patient, Accenture analysis shows that healthcare providers are at risk of losing $305 billion in cumulative lifetime patient revenue over the next five years due to patients switching providers because of medical identity theft," the report states. "Applying this methodology to recent healthcare provider data breaches, Accenture estimates that each provider organization lost an average of $113 million of lifetime patient revenue for every data breach it suffered in 2014."
The report used data from the U.S. Department of Health and Human Services Office for Civil Rights which found that in 2014, nearly 1.6 million people had their medical information stolen from healthcare providers. As such, Accenture predicts that 25 million people—or approximately one in 13 patients—will have their medical and/or personal information stolen from their healthcare provider’s digitized records between 2015 and 2019.
The report also highlights the personal financial loss to patients in the event of medical identity theft. Sixty-five percent of victims of medical identity theft pay out-of-pocket costs at an average of $13,500 per victim, the report states, citing the Ponemon survey. And, 16 percent of impacted patients—more than 4 million people—will be victimized and pay out-of-pocket costs totaling almost $56 billion over the next five years, Accenture predicts.
Think about that for a second—1 in 13 patients and out-of-pocket costs totaling $56 billion! I know that you are probably tired of hearing about Health Insurance Portability and Accountability Act (HIPAA) breaches of all sizes and shapes, but these statistics are not pretty. We have certainly said this many times before, but the industry is currently in a reactive rather than proactive state when it comes to information security. The question is not if you will be attacked, but instead when?
So what can be done to stop the bleeding? Perhaps no one is more well-versed on this topic that Jodi Daniel, former director of the Office of Policy in the Office of the National Coordinator for Health Information Technology (ONC) and current partner in the Washington, D.C.-based Crowell & Moring LLP’s healthcare group. At ONC, Daniel addressed privacy and security issues to ensure that there was clear guidance on how the initial HIPAA rules applied to health IT. According to a statement from her new employer, “Jodi literally wrote the book—and all the rules—governing health information technology, including the complex HIPAA privacy and enforcement rules.”
Wanting to tap into her expertise on the matter, I recently interviewed Daniel and asked her if data protection is getting any better. She mentioned that one of the biggest challenges healthcare has is that the federal rules do not apply to all entities that have identifiable health information, but instead only covered entities. Indeed, covered entities are defined in the HIPAA rules as (1) health plans, (2) healthcare clearinghouses, and (3) healthcare providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Daniel said, “As we have different kinds of ways that people are getting healthcare services, as we see more direct-to-consumer tools and the like, it raises concerns about the protection of that information differently depending on who is holding that data. That’s a real gap that needs to be filled.”
She added, “On the security side, I think we will continue to see breaches as we have a lot of information in electronic format. It’s a matter of mitigating the risks, not eliminating risks. But we see this in every industry; it’s not unique to healthcare. The government does have an important role to play here in advancing security practices and standards. Individual organizations also need to be more diligent about identifying security risks and mitigating those risks in the best way so that we have limited harm in breaches or a reduction in the number of them.”
Daniel is right in that security breaches are not unique to healthcare, but that doesn’t mean that our industry isn’t the most vulnerable and the most affected. For one, some statistics reveal that organizations in the healthcare sector are experiencing double the average amount of internal security breaches, in comparison to all other industries.