When discussing issues like the budget deficit, politicians are fond of saying “If you’re not worried yet, you’re just not paying attention.”

That expression certainly applies to data breaches, like the recent one at Target that affected millions of customers.

Nothing focuses the minds of C-suite executives quite like the prospect of huge regulatory fines, lawsuits and the associated business disruption.

It’s possible that your organization is facing far more security risk exposure than you ever thought possible. But by thoroughly assessing that risk, it’s much easier to get the funding you need to strengthen your data protection program.

The costs associated with a major data breach include both the obvious (legal/regulatory penalties, remediation, class-action lawsuits) and the unforeseen (such as major disruptions to clinical and operational performance or lost business due to reputational damage). The total tab can easily run into the millions. This is clearly not the time to rely on half-measures that don’t fully address the following issues:

Hackers aren’t your biggest worry

Only 8 percent of the data breaches listed onHHS’s “Wall of Shame” are due to hacking. Theft or loss of items as common as a laptop computer account for nearly two-thirds of the data breaches.

Business associates are now on the radar – HIPAA’s expanded privacy, security and breach notification rules now apply to a covered entity’s many business associates – all the vendors and service providers who could potentially compromise patient data. Last year, business associates were responsible for disclosing nearly 13 million patient records.

The average cost of a data breach is about $200 per patient – If your organization loses a laptop containing 10,000 patient records, that cost can easily top $2 million. And that doesn’t include the harder-to-calculate costs of lost business or lost productivity.

A data breach involving more than 500 patient records requires HHS/media notification

When news reporters get wind of a data breach, an organization’s reputation can take an immediate hit. For example, when one of the nation’s leading healthcare providers recently notified the media of a data breach, a competitor ran a full-page ad the next day touting its own data security success.

The average cost of a class-action lawsuit is staggering – Patients who’ve had their health records compromised often band together to seek damages. A study by Temple University’s Beasley School of Law found that the average settlement award in data breach class-action suits is $2,500 per plaintiff, with mean attorney fees of $1.2 million. Sometimes the potential costs are even higher, as in the $1 billion lawsuit filed in 2011 against Sutter Health.

Costly cyber-liability insurance doesn’t provide absolute protection – For starters, cyber-liability insurance for a healthcare organization is very expensive, with annual premiums in the $200,000 range and deductibles as high as $500,000. These numbers are likely to grow larger as courts quantify damages in future cases, resulting in costly settlements typically covered by insurance.

Risk Analysis Can Justify Spending

You can begin to address all these issues using your existing resources. For instance, it’s not very expensive to document your organization’s current security/privacy strengths and compliance gaps. But it is likely that you’ll need to bolster the budget to deal with some of the “big rocks” that might loom ahead.

The best starting point is to conduct a thorough data security risk analysis. In fact, it’s now a HIPAA requirement for all healthcare organizations and their business associates. In recent months, the Office for Civil Rights has imposed data-breach corrective action plans and settlements on healthcare organizations running the gamut from UCLA Medical Center and Affinity Health to CVS and Rite-Aid. The common denominator: none of them had conducted a security risk analysis.

There’s a simple, objective way to determine your organization’s risk exposure – and what it will cost to implement a robust data security program.

The American National Standards Institute (ANSI) offers a free publication called “The Financial Impact of Breached Protected Health Information.” This document provides an excellent overview of the data breach landscape and includes tools for calculating the cost of a breach in your organization. Armed with that knowledge, it’s much easier to make the business case for getting the funding needed to strengthen your safeguards. Boosting the budget can help your organization avoid Target-style notoriety this year.

Mary Chaput

CFO & Chief Compliance Officer at Clearwater Compliance
Mary has 35 years of international and domestic business experience spanning the healthcare, information services, manufacturing and venture capital consulting industries.She is Clearwater’s CFO and Compliance Officer. As an experienced corporate CFO and risk manager, Mary works actively with customers and prospects to identify and prioritize their risks and to develop effective remediation plans within their budgets.