David Anderson, Chief Information Security Officer, Author at Ensemble Health Partners https://www.ensemblehp.com/blog/author/david-anderson/ Your modern revenue cycle solution Thu, 05 Jun 2025 19:16:11 +0000 en-US hourly 1 https://www.ensemblehp.com/wp-content/uploads/2023/10/Logo-Chevron-80x80.png David Anderson, Chief Information Security Officer, Author at Ensemble Health Partners https://www.ensemblehp.com/blog/author/david-anderson/ 32 32 Cybersecurity Is the Next Consumer Decision Point https://www.ensemblehp.com/blog/cybersecurity-is-the-next-consumer-decision-point/ Thu, 18 Aug 2022 21:03:52 +0000 https://www.ensemblehp.com/?p=8554 Hospitals need to make cybersecurity a top priority to prevent financial risk, avoid losing patients and maintain reputational integrity. … Read More

The post Cybersecurity Is the Next Consumer Decision Point appeared first on Ensemble Health Partners.

]]>

Don’t let vulnerability tarnish your reputation.

More than 25 million individuals have had their health data breached so far this year.[1] That’s 8% more than this time last year and 29% more than the same period in 2020. Eighty percent of the breaches reported through the HHS Office of Civil Rights Breach Portal this year were due to malicious attacks, which are increasing rapidly across healthcare organizations and their affiliates.

The headlines about cyberattacks are constant and the costs to organizations and communities are high. Breaches disrupt operational stability and put patients at risk, so it’s no surprise that increasingly savvy healthcare consumers are thinking twice about who they trust with their data.

Healthcare data: high volume, high value, high cost.

The increase in cyberattacks on healthcare organizations is due to the high value and high volume of data they manage. Stolen health records sell for 10 times more than stolen credit cards. Why? Because healthcare data include four key areas of valuable information about people and systems:

  • Personally identifiable information (PII) like name, date of birth, social security number, etc.
  • Financial information like credit card and bank account numbers
  • Protected health information (PHI) like clinical information, health insurance and billing details
  • Sensitive company data like research information2

Most attacks occur via phishing, compromised business emails and penetrated software vulnerabilities. But there are rising risks in other areas like application protocol interfaces (API) security and insider attacks. And credentials were the most commonly targeted.

Healthcare organizations of all types, including business partners, are paying the price:

  • HHS Office for Civil Rights resolved eight healthcare data breach investigations from 2021 resulting in more than $13 million in collections.[2]
  • A malware attack on Scripps Health last year cost $113 million to remediate.
  • 56 breaches on healthcare organizations this year occurred as a result of an attack on a business partner or vendor, impacting nearly 8 million individuals.
  • Recent attacks on multiple revenue cycle management companies have exposed more than 1.4 million patient records managed by their healthcare partners.


Related article: You’ve already got the risk, now get the reward from your healthcare data.


The average healthcare data breach costs an organization $10 million – the highest of any industry. The average cost of lost business associated with each incident is $1.4 million due to system downtime, cost of lost customers and reputational damage.[3]

Breaches diminish trust. Trust drives consumer decision-making.

Healthcare consumers are concerned about protecting their data and choose organizations they can trust to keep their personal information safe. Once trust is diminished, consumers will seek options with other companies where they feel more secure. After a data breach, 8 out of 10 people say they will stop engaging with a brand or company to protect their information.[4]

In addition to losing trust in an organization’s ability to keep their data safe, patients also lose trust when care quality decreases. According to a 2021 CISA report, mortality rates increased as a direct result of cyberattacks.[5] Critical system downtime causes treatment delays which negatively impact outcomes and ultimately result in higher mortality.  

Not only are healthcare organizations seeing patients leave their system after breaches, but they’re also seeing more lawsuits as a result. In 2021, 43 lawsuits were filed against hospitals by consumers following data breaches, which just keeps the negative press circulating, causing further damage to already diminished reputations.[6]

Accountability. Don’t put your patients or brand at risk.

Hospitals and healthcare organizations need to make information security a top priority to prevent financial risk, avoid losing patients and maintain their reputational integrity.

Here are quick tips to avoid significant damage:

Put consumers at ease – make sure their data is secure. Make cybersecurity part of your culture and ensure it’s part of your partners’ culture.

  • Establish a documented cybersecurity program and incident response (IR) plan following HIPAA and HITRUST protocol. The average cost per incident for organizations without an IR team or plan was 58% higher than organizations with established teams and plans.
  • Make sure security teams are adequately staffed to meet information security needs. Organizations with inadequately staffed teams had higher-than-average costs per data breach. [7]
  • Ask your partners and business affiliates about their security measures to ensure they are not putting your data at risk. Any company that interfaces with your data is a potential vulnerability putting you at risk of being exploited.

If an incident occurs, act swiftly. Once a data breach occurs, an immediate, informed response can help diminish the negative impact on your organization and community.

  • Be transparent with impacted patients. Don’t wait for 60 days to notify patients if you don’t have to. Quickly assess and contain the situation, validate the patient exposure and launch a breach investigation. Notify all impacted areas and patients with the facts and action plan.
  • Report the breach and required details to the HHS Office of Civil Rights within 60 days if 500 or more individuals are affected to ensure timely documentation and avoid noncompliance fines. Ensure your business affiliates have a protocol in place to notify your organization immediately following a breach to avoid delays and penalties.
  • Focus on reestablishing trust with patients. Once notification occurs, help patients navigate next steps. Consider providing complimentary services like credit monitoring to help them regain a sense of security and trust in your organization.

Prevent future threats. More than 80% of organizations impacted by data breaches have had one before.[8]

  • Don’t let history repeat itself when it comes to cyberattacks. Regularly review and revise your cybersecurity plan to anticipate new threats and prepare new responses to mitigate future risk.
  • Educate employees and partners on their role in preventing data breaches and best practices to keep information safe and secure. Regularly evaluate training initiatives to ensure they are effective and compliant with HIPAA requirements.

With more than 50 data breaches impacting healthcare organizations and their patients each month, cybersecurity will continue to be a critical focus for healthcare leaders as well as the patients they serve. Make sure you’re earning the trust of your community, keeping the confidence of consumers and maintaining your reputation by strengthening your commitment to information security.

____

Learn more about Ensemble’s commitment to information security, achieving the HITRUST Risk-based, 2-year Certification for our proprietary EIQ® revenue intelligence platform and our flagship facility.  

References:

  1. HHS: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information
  2. HITECH: Annual Report to Congress on Breaches of Unsecured Protected Health Information
  3. IBM: Cost of a Data Breach Report 2022
  4. Business Wire: 81% of Consumers Would Stop Engaging with a Brand Online After a Data Breach, Reports Ping Identity
  5. CISA: Provide Medical Care is in Critical Condition: Analysis and Stakeholder Decision Support to Minimize Further Harm
  6. Healthcare Finance: Patients increasingly suing hospitals over data breaches
  7. IBM: Cost of a Data Breach Report 2022
  8. IBM: Cost of a Data Breach Report 2022

RELATED CONTENT

The post Cybersecurity Is the Next Consumer Decision Point appeared first on Ensemble Health Partners.

]]> Hospital Data Breach Playbook https://www.ensemblehp.com/blog/hospital-data-breach-playbook-2/ Mon, 17 Feb 2020 19:00:00 +0000 https://www.ensemblehp.com/2020/02/17/hospital-data-breach-playbook-2/ Medical data breaches are on the rise, making patient data security one of the most pressing issues in the healthcare industry. … Read More

The post Hospital Data Breach Playbook appeared first on Ensemble Health Partners.

]]>

What to do before, during and after

Medical data breaches are on the rise, making patient data security one of the most pressing issues in the healthcare industry. In 2019, more than 41 million healthcare records were either exposed, stolen or inappropriately disclosed. The 2019 total is greater than the number of patient records breached in the three previous years combined, according to a HIPAA Journal report.

While hospitals and health systems are increasingly becoming the targets of malicious cyberattacks, there are steps these organizations can take to minimize the risk of breaches and ensure a swift response when one occurs.

During a Jan. 21 webinar hosted by Becker’s Hospital Review and sponsored by Ensemble Health Partners, two industry leaders laid out a “before, during and after” approach to data breach prevention and response. Additionally, the conversation walked through real-life examples from the Office for Civil Rights home page for HIPAA Privacy, https://www.hhs.gov/hipaa/index.html,  of provider responses to breaches that resulted in fines or legal settlements as learning opportunities.

The speakers included:

  • Gregory Kerr, Chief Privacy Officer, Ensemble Health Partners
  • Ray Percell, Director of Compliance, Ensemble Health Partners

Before: Get one step ahead

The best time to minimize the risk of a security breach or a large fallout after a breach is before one even occurs, explained Mr. Percell.

Before a data breach occurs, it is imperative providers create a procedure to assess privacy and security incidents, develop a breach response with key stakeholders and ensure staff is aware of any update in state and/or federal reporting requirements.

In addition, completing an annual privacy and security risk assessment is helpful to understand external and internal threats to a provider organization’s patient data.

“With the moving parts and the sophisticated ways your data is being accessed and stolen, your IT team must try to be one step ahead,” Mr. Percell said.

During: Avoid knee jerk reactions

When a breach is discovered, it is critical for providers to work quickly and swiftly to gather facts before reacting and responding, according to Mr. Kerr

“It is not uncommon that knee jerk reactions occur,” Mr. Kerr said. “However, these reactions can not only be costly, but also create additional complications for an organization.” 

Instead, an organization should determine the nature and severity of the incident, document the findings and determine if it is a notifiable breach. The covered entity or business associate should launch a breach investigation as soon as possible so they can begin to understand how many people were affected, what data was accessed, the timeline of the breach and any remediation services that may be necessary, Mr. Kerr explained. 

After: Monitor, asses and act

The effects of a data breach are not always immediately known, explained Mr. Kerr. As a result, an organization affected by a breach of PHI must continue to monitor affected individuals, consider reputational risk and assess liability risks following a data  breach. 

From there, the organization can determine if purchasing insurance is beneficial, if they will hire a consultant to aid with breach notifications or engage another vendor to provide other services, such as credit monitoring, to help.

After part II: Reporting deadlines, details

Once a breach is discovered, on the federal level, affected individuals must be notified within 60 calendar days. If 500 or more individuals are involved, then HHS’ Office for Civil Rights must be notified within 60 days as well.  In addition, for breaches involving more than 500 affected individuals who reside in the same state, local media outlets must also be notified no later than 60 days from the date the breach was discovered.  For breaches that affect less than 500 individuals, from the federal HIPAA Privacy Rule requirements, the affected individuals are to be notified within 6o days of discovery, and the covered entity should record the breach in a manner consistent with federal expectations and report those breaches annually to the federal government not later than 60 days after the end of each calendar year, or as the federal government may direct. 

It is also important to keep in mind there are different requirements that may need to be followed based on individual state reporting requirements, according to Mr. Percell. 

The OCR is strict on these deadlines, Mr. Percell said, adding that the agency will not offer exceptions to the rule unless a law enforcement official requests a delay due to impeding a criminal investigation or threat to national security.

One example of the strict deadline is a 2017 incident with Chicago-based Presence Health. The health system was the first HIPAA covered entity to receive a resolution agreement for reporting a breach of personal health information late. The system was fined $475,000 by the OCR for reporting the incident 45 days late and had to undertake a corrective action plan. This reveals how important the 60-day deadline is, according to Mr. Percell.

Another example Mr. Percell shared was when Norfolk, Va.-based Sentara Healthcare paid the OCR $2.17 million for failing to properly notify HHS of a breach of PHI. Sentara had believed the breach affected eight people, but an OCR investigation found that it affected 577 individuals.

This case reveals that it is important to conduct a thorough investigation of the incident, Mr. Percell said.

After part III: Cooperate with the media, but don't disclose PHI

Media can play a very important role in getting information out about the breach to the public and affected individuals. However, involvement with the media can also worsen an already bad situation, Mr. Kerr said.

One example that other providers can learn from is an incident that occurred with Memorial Hermann Health System in Houston, Mr. Kerr said.

In September 2015, a patient at one of Memorial Hermann’s clinics presented a fraudulent identification card to office staff, who immediately reported the incident to law enforcement authorities. Memorial Herman then published a press release about the incident, which impermissibly disclosed the patient’s PHI by adding his or her name in the title of the press release.

The incident reminds providers that they can cooperate with police without violating HIPAA, but that they must protect patient privacy when making statements to the public, Mr. Kerr said. 

Memorial Hermann paid $2.4 million to HHS to settle the potential violation of HIPAA.

After part IV: The use of business associate agreements

Another way a covered entity can protect their organizations from the fallout of a breach is by using business associate agreements. These agreements, which should be used with any partner that has access or transmits PHI, outline any permissible uses of PHI and lists out liabilities and responsibilities in the event of a HIPAA breach, Mr. Percell said.

When developing these agreements, leaders should engage subject matter experts including the privacy and legal department. These agreements should also be updated regularly and signed by all parties, Mr. Percell said.

Overall, the risk of security breaches in healthcare is high. However, with a plan in place for before, during and after a breach, healthcare organizations can be well prepared to handle the incident swiftly and responsibly.

To view the hour-long webinar with more real-world examples, click here.

RELATED CONTENT

The post Hospital Data Breach Playbook appeared first on Ensemble Health Partners.

]]>