When you are attentively (?) listening to the security announcements before a flight, they instruct each passenger to put their own oxygen mask on first, before helping others. The rationale is understandable in an emergency situation, and whether the health sector recognizes it or not, the cybersecurity of many healthcare organizations is at a critical, emergency stage. The solution to this is not necessarily spending more money on cybersecurity investment, but rather using appropriate safeguards and focusing on their effectiveness.

In 2018, over 15 million health records were breached. That number was dwarfed in the first half of 2019 when 32 million records were compromised. Admittedly, one of these was a whopper — the American Medical Collection Agency had 24 million records stolen — and soon after AMCA filed for bankruptcy. So much for the callous thinking that breaches are simply a cost of doing business.

The crisis that the health sector must address is that the average cost per breached health record is $429 according to the IBM 2019 Cost of a Data Breach Report. The second highest record cost is for the financial services sector, but IBM reports that this is less than half the cost of health at $210 each. Why is that, given the highly regulated nature of these two sectors? One aspect is certainly investments in security. Healthcare Finance News reported in July 2019 that the health sector typically invests 4-7% of revenue in cybersecurity, while the financial services sector is in the 15% range.

Whether healthcare organizations and their business associates choose to increase their investments, the real shift of perspective needs to be how security is built into operations. Coming back to the oxygen mask, security within healthcare must become like breathing: it’s automatic, and not a bolt-on.

The best way to do this is to start with an assessment of how defensible an organization’s security posture is. Security and the associated administrative, technical, and physical components must not only effectively defend against most attacks but must also be sufficiently systematic so that the likely inquiry from the HHS Office of Civil Rights or state attorneys general will be satisfied that the organization was doing all the right things. While that will not deter the plaintiffs bar and their class action complaints, OCR, the FTC, and other regulators understand that there is no such thing as perfect security.

A security assessment (preferably coordinated with security consultants for the more technical review) will also deliver an independent, privileged view of gaps and opportunities for improvement. Because the fact of life is that organizations will be hacked, will lose PHI, and will be scrutinized. In the end, the health sector needs to fix its weaknesses before valuable resources are involuntarily shifted to crisis management, litigation, and regulatory fines.