How Hospitals Can Tie Cost Reduction to a Solid Data Security Program

Michelle Caswell, Principal, Healthcare Assurance Services, Coalfire

When I have conversations with hospitals and other organizations subject to HIPAA, one of the first questions asked is “if I have a data breach, will OCR fine me, and if so, how much?” Many organizations decide to gamble: they opt to save time and money by not implementing a robust information risk and compliance program on the chance that the Office for Civil Rights (OCR) won’t fine them in the event of a breach. Although the OCR is the regulatory agency that enforces HIPAA, their fines are only one potential expense an organization incurs for a data breach.

For example, a breach may cause damage to an organization’s reputation due to the perception that the organization did not properly protect data. Repairing a reputation costs money.  In a recent study published in The American Journal of Managed Care, it was found that “a hospital data breach was associated with a 64% increase in annual advertising expenditures.” The study included a sampling of Medicare hospitals and the data breaches involved included theft, loss, unauthorized access/disclosure, improper disposal, and hacking.

Of the study’s control group of 3,421 hospitals, 75 hospitals were breached. According to the study, “breached hospitals spent nearly three times more on advertising than the control hospitals (approximately $688,000 vs $238,000 for annual spending; $1,713,000 vs $551,000 for two-year spending).”

Some obvious risks of a data breach are the impact of the loss of patient data, regulatory fines, potential class-action lawsuits, and increased legal and consultative costs; however, a sometimes-overlooked cost is how a data breach affects a hospital’s competitive advantage in the marketplace.

Implementing an effective security program that assists in minimizing data breaches, or the damaging effects of data breaches, begins with the basics of information security and governance. Some examples include:

  1. Identify your sensitive data and know where that data lives
  2. Conduct regular risk assessments
  3. Create a culture of security awareness
  4. Document an enterprise-wide security program
  5. Have a good incident response plan in place, including training and testing of the incident response plan
  6. Continuously monitor your security program and update as needed
  7. Understand contractual requirements for breach notification

A mature information security and compliance program goes beyond the fear of OCR fines and penalties. It includes understanding the potential adverse effects of a breach and proactively implementing a program that safeguards patient data, assists in minimizing patient harm, and ultimately reduces your advertising budget. A strong security and compliance program keeps your organization viable in the ever-changing competitive landscape of providing healthcare to consumers.

Michelle Caswell


Michelle Caswell — Principal, Healthcare Assurance Services, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS