New data reveals that the number of healthcare data breaches continues to climb, causing financial and reputational damage to healthcare providers. HIPAA Journal reported 692 large healthcare data breaches between July 2021 and June 2022 that exposed the records of over 42 million individuals. The number of records breached in June 2022 was more than 65% higher than the monthly average over the previous year, highlighting the need for providers to stay on top of their game when it comes to protecting patient data.
In a recent conversation with PYMNTS, Chris Wild, Experian Health’s Vice President of Adjacent Markets and Consumer Engagement, discussed the consequences of healthcare data breaches and set out the key steps providers should take to prevent and resolve security incidents.
Compromised patient records send financial and reputational costs soaring
IBM reports that financial damages resulting from data breaches have reached a 12-year high, with the average breach in healthcare costing $10.1 million, up nearly $1 million since 2020. Wild notes that this includes a huge range of costs, from HIPAA fines to operational costs to curb and resolve breaches:
“The cost of dealing with a breach is enormous. There’s anything from penalties of $100 per incident to $1.5 million per year. You’ve got reconciliation costs – trying to patch the holes in technology stacks and things like that. You’ve also got inbound phone calls from concerned patients who’ve just heard about a breach and want to know if it impacts them.”
But Wild says that beyond HIPAA fines and operational expenses, the greatest cost is repairing the reputational damage of breaching patient trust: “the reputational cost is enormous because once you lose a patient, you lose a patient.”
Wild suggests a two-pronged approach to mitigate the risk and impact of a healthcare data breach that focuses on prevention and preparation.
Protecting patient identities to deliver a satisfying and secure consumer experience
An unfortunate side effect of the accelerated adoption of digital health solutions during the pandemic was that it opened the door to new methods of medical crime and fraud. Patients interact with their data electronically more often, thus increasing their vulnerability to cyber-criminal attacks. Preventing infiltration by bad actors before they occur should be the priority.
In the past, efforts to secure a patient’s identity have relied on personal security questions, considered unanswerable by anyone but the patient. However, Wild says that asking for past addresses and details of previous living arrangements may no longer be the gold standard:
“We’re finding that this is a little bit passé now. There’s a lot more that goes into identifying somebody, and that goes along with improving security, but it also improves the patient experience. There’s always been a balance between trying to make sure that data is secure on the one hand, but also make sure that it’s easy to access on the other.”
To this end, providers should look for patient engagement solutions that deliver a flexible, convenient and consumer-friendly patient experience, while ensuring that patient data is secure. Wild suggests a few specific strategies, such as monitoring device ID and validating the identification documents used during patient registration:
“When you have your cell phone or your tablet or your laptop, or your computer, or even your voice assistant devices, they all have a device ID. We keep track of those and see which ones are being naughty, which ones are being nice. We can start to ramp up when we see a naughty device acting naughty. But also think about things like document verification, validating that a driver’s license being shown to a registrar is actually a real driver’s license, or things of that nature.”
A multi-layered approach to securing patient portals and other digital patient access tools will ensure there is no single point of vulnerability. Experian Health’s patient portal security solutions with Precise ID include a range of protections, including two-factor sign-in authentication, device intelligence and additional checks on risky requests to proactively secure patient identities. Each element protects against a specific type of threat, building up defensive depth to thwart attempts to breach patient data.
Responding quickly in the event of a healthcare data breach
Prevention only goes so far, though. Evidence suggests that most healthcare providers will be hit by a data breach at some point. Wild suggests that regular “fire drills” can help ensure that everyone in the organization knows how to respond, should the worst happen:
“For a healthcare data breach or any sort of misappropriation of patient or member data, you want to make sure you’re keeping things safe, keeping things secure, and make sure that all of the associated people know what to do.”
Wild says this must include front desk staff who will be answering phones from worried patients, through to marketing teams who will need to put out proactive messages about what happened and how it will be dealt with. How a provider responds may have an even greater impact on their reputation and patient loyalty than the breach itself.
All of this can be pulled together in a data breach response plan, which sets out exactly what needs to be done and by whom, to help organizations avoid missteps in the aftermath of a breach. Experian Health’s Reserved ResponseTM program can help healthcare organizations put together a data breach preparedness plan in as little as three days. The program is based on 17 years of real-world experience dealing with data breaches and has evolved as security threats and consequences have increased. The program offers providers guides, templates, checklists and service-level agreements to guarantee manpower, infrastructure and response readiness at the most crucial moments.
As the uptake of patient portals and other digital patient access solutions accelerates, finding the right data security partner to help navigate the unprecedented threats and consequences will be essential. Watch the full interview with Chris Wild and find out more about how Experian Health helps healthcare providers protect patient identities to prevent healthcare data breaches.