Regular risk assessments are mandated for healthcare organizations by HIPAA as well as the Meaningful Use EHR Incentive Program. And while conducting regular risk assessments might seem arduous, the cost of failing to conduct them and remediate risks can be high.

In this post, we wanted to take a second to compare the costs of a potential data breach with the cost of proactively protecting your company against breaches with a solid risk management program.

Data Breaches: What’s at Stake?

Data breaches can be crippling to healthcare organizations. And while lost revenue is the most immediate impact for not proactively protecting your data, there’s a lot more at stake.

Here are three areas healthcare companies expose themselves when they fail to put the appropriate risk management systems in place:

  1. Financial Penalties for Non-Compliance. The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. As protecting patient information continues to increase in priority, it is evident that financial penalties of non-compliance with HIPAA Privacy and Security Rules will only become more severe.
  2. Immediate Revenue. A data breach has the potential to cost healthcare companies millions of dollars in current and future revenue potential. According to the Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis, healthcare had the highest average cost per stolen record at $363 compared to an average $154 for other sectors.
  3. Future Revenue. Of course, the risks don’t end with the immediate financial impact. The cost of negatively impacting your reputation and losing patients may be even greater. A recent survey found that 30% of patients said they would immediately change caregivers if their protected health information was breached. Another survey found 40% would make a change as a result of a breach.

Risk Assessments: The Cost of Being Proactive

When you think about the exponential cost a potential data breach could have for your healthcare organization, investing in a comprehensive risk assessment through a third-party vendor is oftentimes a no brainer.

Depending on the size and complexity of your organization, third-party risk assessment costs can top 30k per entity, which is an investment many healthcare companies have included in their annual IT budget.

But even working with a third-party vendor can be labor intensive without the right systems in place to help streamline the risk management process.

Making Risk Assessments More Manageable

One of the reasons risk assessments can be so burdensome for healthcare IT professionals is because of how difficult it is to manage all of the various aspects involved. That’s why we created BALLAST. We wanted to provide healthcare IT professionals with a better way to conduct risk assessments of your protected health information.

We’ve also intentionally made this tool affordable so that healthcare organizations can benefit from it without having to invest significantly more in their cybersecurity risk management program.

If you want to learn more about how BALLAST can save you time (and potentially millions of dollars) by making the risk management process easier, connect with our team or sign up to schedule a free demo and get a specific quote today.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.