In May, when the Michigan-based Ponemon Institute released the results of its fifth annual survey about privacy and security issues facing healthcare organizations, it found that for the first time, providers reported that the No. 1 root cause of their data breaches was criminal and malicious attacks, surpassing mistakes and employee negligence. Ponemon also found that the rate of data breach is remarkably high, with 91 percent of providers experiencing one or more breaches in the last year, and 40 percent of respondents had more than five data breaches over the past two years.
While these were the statistics that drew the biggest headlines, it should also be noted that the survey found that healthcare organizations spent an average of more than $2 million to resolve the consequences of a data breach involving an average of almost more than 2,700 lost or stolen records. Another study from Ponemon and IBM revealed that healthcare emerged as the industry with the highest cost per stolen record with the average cost for organizations reaching as high as $363. “Based on our field research, we identified three major reasons why the cost keeps climbing," Dr. Larry Ponemon, chairman and founder, Ponemon Institute, said in a statement at the time of this report. “First, cyberattacks are increasing both in frequency and the cost it requires to resolve these security incidents. Second, the financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost. Third, more companies are incurring higher costs in their forensic and investigative activities, assessments and crisis team management."
To this end, it’s become imperative for patient care organizations to stop breaches before they start, and at worst, limit their damage. Alexander Grijalva was recently hired at New York City-based NYU Langone Medical Center to do just that. There, Grijalva is head of information security risk management where he is in charge of risk assessments for Langone's applications to ensure both regulatory compliance and policy compliance, determining if these systems present risk. Grijalva recently spoke with HCI Senior Editor Rajiv Leventhal about the growing threat of data breaches in healthcare, strategies to help minimize breaches, and costs associated with them. Part one of Grijalva’s interview with Leventhal from last week can be found here; part two excerpts can be seen below.
Tell me about your strategy to better protect data at NYU Langone.
Right now, we are beginning another risk assessment cycle. That involves close coordination between all the IT groups, compliance, and internal audit. We don’t have silos when it comes to information security, which I think organized crime and insiders have exploited at other hospitals. Of course, compliance with all the regulations that govern us is a focus and very important. But the output of our risk assessments is also reviewing the efficacy of our controls and processes. Information security threats are evolving rapidly and the effects more devastating. Therefore, we also have to evolve and affect the ROI of cyber criminals. Many operate as a business, and we have to make ourselves an expensive target. The more labor and time they spend, the less their return. At least, that is how I think. But that approach requires heavy investment, which many hospitals can’t do.
Of course, we also have activists like anonymous knocking on the door of hospitals. For example, back in 2014, anonymous went after Boston Children’s hospital over a child custody case. That is a threat that all hospitals now have to deal with, as well.
We are fighting a war on multiple fronts, both as an organization and as an industry. But I think hospitals know the effect of giving up. We can’t let people and organizations with malicious intent stop us from providing care, investing in research, educating, and improving public health. Medicine is a noble profession, full of idealists. And that idealism has never been broken, and I firmly believe will never be broken. That is why at Langone we invest heavily in healthcare information technologies, IT security and work closely with all stakeholders. Our mission is sacred, and certainly at my previous employers —NewYork-Presbyterian and University of Medicine and Dentistry—the same applied.