Data breaches over the next five years will cost U.S. health systems $305 billion in cumulative lifetime revenue, according to a new report from Accenture. Key drivers behind the increase can be attributed to the significant increase in EHR adoption and other healthcare technology solutions creating a wealth of electronic information that includes patient data such as dates of birth, home addresses, social security records, insurance details and medical data.
Nearly 1.6 million people had their medical information stolen from healthcare providers last year, according to the U.S. Department of Health and Human Services Office for Civil Rights. Unlike credit card identity theft, where the card provider generally has a legal responsibility for account holders’ losses above $50, victims of medical identity theft often have no automatic right to recover their losses.
As a result of this new-found abundance of patient data, Accenture estimates that 1 in 13 patients – roughly 25 million people – will have personal information, such as social security or financial records, stolen from technology systems over the next five years.
“What most health systems don’t realize is that many patients will suffer personal financial loss as a result of cyberattacks on medical information,” said Kaveh Safavi, M.D., J.D., managing director of Accenture’s global healthcare business in a statement. “If healthcare providers are complacent to safeguarding personal information, they’ll risk losing substantial revenues and patients as a result of medical identity theft.”
Accenture projects that of the patients likely to be affected by healthcare-provider data breaches over the next five years, 25 percent of patients – or 6 million people – will subsequently become victims of medical identity theft. One in six (16 percent) of the affected patients – or 4 million people – will be victimized and pay out-of-pocket costs totaling almost $56 billion over the same time period.
“In the end, when a breach occurs, the goal is not to say ‘what is our plan,’ but, ‘how is our plan working?’” Safavi said.
5 Actions Healthcare Providers Can Take to Develop Effective Cyber Security Measures
To prevent revenue loss on this scale, healthcare providers must prioritize improvements of their cyber security in order to thwart attacks that aim to steal patient data from clinical and financial systems. Moving to active defense strategies can improve cyber security effectiveness by an average of 53 percent over two years, Accenture research shows.
Accenture recommends five actions providers can take to handle vulnerabilities and mount an active defense to meet and deflect attacker advances:
1) Assess security capability, identify opportunities
Determine where the organization currently stands and the level of resources required to support meaningful transformation
2) Manage complexity and integrate the enterprise
Evolve the security program vision: establish an end-to-end enterprise security program and integrate it with existing enterprise architecture processes to reduce complexity levels and produce outcomes valued by the business.
3) Become agile
Embrace the cloud and other emerging technologies to boost IT agility and reach customers faster, capitalize on eciency and cost benefits and do so within risk tolerances
4) Accelerate toward security intelligence
Adapt to handle new threats to the enterprise by developing threat-centered operations by developing a deep understanding of adversaries, their goals and techniques
5) Develop end-to-end delivery and sourcing
Plan a delivery and operational strategy for each of the security services they oer to make a clear-eyed assessment of internal competencies for designing, building and deploying elements of a cyber-security program
Accenture used historical security breach data from the U.S. Department of Health and Human Services Office for Civil Rights to project the number of patients likely to be affected by healthcare provider data breaches from 2015 through 2019. Based on medical identity theft information by the Ponemon Institute, Accenture calculated the number of affected patients who would become victims of medical identity theft and quantified the patient revenue that would be put at risk.