Adding Value to Your HIPAA Compliance Program

Ponemon Study Says 94% of Medical Institutions Have Been Victims of a Cyber Attack.

The Health Insurance Portability and Accountability Act (HIPAA) is a major challenge for every healthcare organization. This is the result of the U.S. Government mandating that citizens have the right to keep their healthcare records safe and private. Healthcare organizations risk huge penalties — financial and reputational — if they are breached and discovered to not be in compliance.

Breaches originate from many different sources and there are many different motivations. One type of breach is internal to the organization and is committed by employees. The primary motivation for these breaches is theft of personal healthcare records for fraud or financial gain. Personal healthcare records can command as much as $10 each on the underground market.

Another type of internal “theft” is not malicious in any way but can still be considered a serious HIPAA violation. That is when employees allow their curiosity to get the better of them. They view or copy healthcare information that they are not authorized to access.

Insider breach within healthcare organizations is on the rise. HIPAA compliance means dealing with numerous security requirements that can over-task IT and increase costs. But what is the cost of a breach to a healthcare organization? According to a 2013 publication from the Ponemon Institute the average cost of a data breach in the U.S., when between 1,000 to 100,000 records were compromised, was $233 per record for healthcare organizations; significantly higher than the average for all industries combined. The Ponemon study reveals that the average size of a breach was 28,765 records. If that is applied to a healthcare organization, an average breach would cost $6.7M. Of course these numbers pertain to all breaches, not just those committed by insiders but knowing that insider breaches are on the rise, it should be a concern of every healthcare organization.

What healthcare organizations need to address insider threat and maintain HIPAA compliance, is the ability to trust their employees through verification and monitoring. A security framework for reducing insider threat might involve the following:

• Deterrence: If employees know that their actions are being monitoring they are less likely to take the risk of being caught.
• Detection: If security professionals receive real-time threat monitoring alerts with timely reporting and evidence review they can quickly identify potential inside breaches before they happen.
• Mitigation: If security professionals can quickly remediate the breach, they can prevent widespread breaches that put the organization in serious jeopardy.

Sherryl Dorch, Vice President of Marketing for Raytheon Cyber Products, has more than 30 years of experience helping enterprise and government organizations communicate the need to detect, contain and control cyber threats.