Not a month goes by when there isn’t an announcement of a breach of electronic health records thereby disclosing personal and financial data; and that excludes breaches that are not publicly acknowledged. In a recent report from the American National Standards Institute (ANSI), 18 million Americans have had their personal health information stolen over the past two years.
So one has to ask: considering the financial and legal implications of a breach of health records, why don’t organizations deploy security solutions to protect electronic health records? Answers often offered by CIOs are (1)ROI – show me the ROI on an investment in security solutions. Does it lower my cost of doing business? Does it bring me new customers? (2) Compliance / HIPAA? “Yawn... is there a way around this regulation? Can we give the compliance auditors, the minimum they need at the lowest cost, so we can get on with business?”
“Mr/Ms CIO, I would like to introduce you to our CFO, he/she will educate you on the costs of doing business in today’s electronic age...”
The costs of a breach can be quantified as:
- Financial: notifying affected individuals and increased insurance premiums.
- Reputation: loss of current patients and difficult attracting future patients.
- Operations: cost of training staff to prevent future breaches.
- Legal: fines, penalties and lawsuits.
- Clinical: fraudulent medicaid and insurance claims that may be submitted from the stolen data;inaccurate diagnoses because data is missing from the electronic health record system.
Take the cost of a breach and turn that into the cost of an investment – the cost of an investment in security software solutions that lower the probability of a breach occurring. (In layman terms: the cost of a burglar alarm or barbed wire fence that will make it more difficult for thieves steal your jewels). For electronic health record data stored in the cloud, software security solutions should include firewalls, intrusion detection/prevention systems and data encryption so that even if the data is stolen, it is useless to the thief.