How finance execs can help address data breaches

Patient data breaches have typically been the bailiwick of the CIO and other healthcare IT executives, but new data suggest it might be time for the finance people to step in.

A study by the Michigan-based Ponemon Institute concluded that the average economic impact of a data breach on a healthcare organization during 2011 was $2.2 million, up 10 percent from 2010.

In an interview, Ponemon Institute founder Larry Ponemon indicated there were a half-dozen breaches in the past year that cost organizations $10 million or more. At that level, capital projects, charity care, and ancillary services could be affected.

Healthcare organizations also are getting sued for tremendous amounts. Sutter Health, which disclosed a breach last month, is facing a class-action suit asking for $1,000 per patient affected. That's $4.6 billion--half of the California hospital system's annual revenues.

Few organizations are immune from breaches. Ponemon's survey of 75 healthcare organizations showed that 72 of them experienced a breach that led to the loss or theft of patient data, a number that's also up from 2010.

More alarming is that many healthcare organizations are doing nothing to address serious shortfalls in their security. Nearly half of those surveyed said they have no policies or programs in place to safeguard the security of portable devices.

Part of that inaction is due to the unconventional working relationships hospitals have with their medical staffs. It's tough enough getting a doctor to wash their hands; nudging them to encrypt a smart phone they own and also likely use for personal matters is no doubt a delightful experience. Most healthcare professionals (physicians or not) are so focused on the physical safety of their patients that they see security as a peripheral issue, if not an impediment.

"In financial services, people are more likely to protect their smartphones with a password," Ponemon told FierceHealthFinance. "In the healthcare space, people are looking for convenience."

Nothing is more sobering in the workplace than the message that your mistake could cost the organization millions of dollars. But most IT people are not suited for making or conveying that message.

There's also an anti-communicative culture developing in response to breaches, no doubt abetted by those lawsuits seeking 10-figure payouts. This was borne out by a nearly farcical exchange I had with Stanford Hospital & Clinics spokesman Gary Migdol. I wanted to interview a particular IT executive regarding the "proactive steps" (my words) Stanford took after the mishandling of patient data by a contractor led to a breach. Not only did Migdol not attempt to secure an interview but he also wouldn't even say why when prodded. "You can ask me that question all day long and my answer will be the same," Migdol retorted testily.

Had Stanford reserved such steel-willed taciturnity for the privacy of the 20,000 patients who had their confidential records posted on, of all things, a homework website for kids, it might not be in this mess now. But that's a discussion for another time.

So, with the IT people not able to personally message the enormous costs of a data breach and the communications people clamming up, here is what the health finance executives can do:

• Crunch numbers and figure out what $2.2 million can buy for your hospital
• Make a list of those things
• Delegate to a marketing exec and a graphic artist the task of designing posters, fliers, and computer screen savers linking a breach to a specific loss (Suggestion: Base them on the striking "Loose Lips Sink Ships" posters deployed during World War II)
• Print posters and fliers and place them throughout the hospital
• Repeat as necessary

Such communiques are great publicity and they could possibly cut insurance premiums to guard against data breaches. They also could be used as a potential defense in case a breach occurs.

I'll admit it may sound absurd on some level, but so are those signs in hospital elevators telling healthcare professionals not to discuss their patients within earshot of strangers. Years have passed since they have even rolled their eyes at that admonition. It's time to try something new. And as the numbers suggest, simply doing nothing costs too much. - Ron (@FierceHealth)