In our latest webinar, Safeguarding Healthcare Data in the Cloud, HOSTING teamed up with technology partner Vormetric to discuss how data encryption and key management can address HIPAA/HITECH compliance regulations for healthcare providers and payers. Missed it? You can view the webinar on-demand. Following are some highlights.
The average cost of a data breach is up 15% from two years ago
The average cost of a data breach continues to climb, with a 15% jump in costs over the past two years alone. The 2014 Ponemon Institute Cost of Data Breach Study breaks down the average expenses incurred by companies that experience a data breach.
- The total average organizational cost of a data breach for U.S. companies is $5.85 million (up 15% from 2013). This figure includes:
- $417,000 for detection costs (including forensic and investigative activities and crisis team management)
- $509,237 for breach notification costs
- $1,599,996 for post-breach remediation costs (including help desk activities, product discounts, identity theft protection services, and interactions with regulators)
- $3,324,959 in lost business costs (including reputational injury, diminished goodwill, and loss of business).
Healthcare leads all industries in per capita costs following a breach
The average number of records breached in the US is just under 30,000 while the average per capita cost of the breach is $201, up from $188 in 2013. At $359 per record, the healthcare industry has the highest per capita costs following a breach. So if a healthcare company with 30,000 records (the average number of records) could expect to pay remediation fees of approximately $10.7M.
HIPAA/HITECH compliance – key requirements and challenges
While there are no set guidelines to follow for HIPAA compliance, organizations should keep the following requirements in mind.
- Individuals must be notified of a breach of unsecured health information
- Information is only secured if it is encrypted or destroyed
- Encryption must meet NIST800-111 encryption requirements
- Encryption keys must be kept on a separate device from the data
- Only FIPs encryption algorithms can be used
- The Omnibus Rule of 2013 expands HIPAA requirements to business partners of payers, providers and clearinghouses
Organization that attempt to comply with HIPAA/ HITECH on their own quickly experience a number of challenges, including:.
Taken independently of each other, meeting HIPAA/HITECH security requirements can prove costly and time-consuming to implement properly.
Protection of unstructured data
While some types of data such as credit card data or social security numbers, can be readily located and protected in databases, unstructured data frequently found in electronic medical records can be more difficult to protect.
Inconsisent file types
Patient forms, medical imagery files and other file types are not easily protected due to being housed in highly distributed environments.
Controlling access to ePHI
While encryption protects data, it’s not enough. Organizations must also have robust policy and encryption key management to prevent unauthorized access or disclosure of ePHI. The goal is to ensure that only authorized users under the right circumstances can access sensitive data.
Safeguarding healthcare data through HOSTING data security solutions
HOSTING Data Security Solution for Healthcare is a comprehensive solution for protecting ePHI in any environment including private, public and hybrid clouds. Integrated into the data security solution is Vormetric Transparent Encryption which offers strong data security controls that leverage both encryption and policy-based access controls. Key features of the HOSTING Data Security Solution include:
- Systematic controls that prohibit unauthorized internal and external users from accessing sensitive data
- Capabilities for encrypting data, controlling access, and creating granular security intelligence logs
- Protection of databases, files and big data across the entire organization
- Security intelligence logs that can accelerate the detection of advanced persistent threats (APTs) and insider threats
The HOSTING Data Security Solution is available in a multi-tenant environment, completely managed by the HOSTING Compliance Team, or in a dedicated environment that can be solely managed by the customer or managed by the HOSTING Professional Services team.
Wondering if your healthcare data is completely protected against data breaches. View the on-demand webinar to learn how data security can help you address HIPAA/HITECH compliance. And contact the HOSTING certified information security and compliance team anytime to discuss your specific needs.