3 Practical Steps to Better Protect Your Healthcare Business (and Reputation) from Data Breaches
“...almost every month last year more than 1 million people were affected by data breaches at health-care organizations.”
— US Dept of Health and Human Services
Over the past year, the healthcare industry has widely embraced the use of telemedicine and digital health platforms largely as a response to the COVID-19 Public Health Emergency. Not surprisingly, the industry also saw a significant rise in the number of cyberattacks.
Data is rapidly becoming one of the most valuable assets in the healthcare market, putting digital health companies that collect and process large amounts of personal data at higher risk than many other types of businesses.
If you have a healthcare business, then you’ll want to keep reading to understand:
How the laws and regulations safeguarding personal data work—as well as the potential penalties for non-compliance you’ll want to avoid;
What business benefits you’ll gain from strengthening your company’s privacy protections— and the business risks of maintaining substandard practices; and
What 3 practical steps your business can take now to enhance data privacy and security infrastructure.
What healthcare business leaders need to know about privacy laws and regulations
The Health Insurance Portability and Accountability Act (HIPAA) is the most comprehensive federal law focused on protecting sensitive healthcare information. HIPAA not only applies to providers, health plans, and healthcare clearinghouses that bill payers or sell certain products direct to employers (“Covered Entities”) but also those who receive or otherwise access Covered Entities’ protected health information (PHI) (“Business Associates”).
Covered Entities must comply with HIPAA’s three major rules: The Privacy Rule, The Security Rule, and The Breach Notification Rule. Both Covered Entities and Business Associates are obligated by HIPAA to protect PHI in their possession in accordance with a detailed set of controls defined in the law’s Security Rule, and there are often additional restrictions imposed on Business Associates in the required “Business Associate Agreement” between each Covered Entity and Business Associate.
Importantly, there are numerous players in the telehealth space including digital health apps and medical device companies that collect sensitive healthcare information, but which are not subject to HIPAA. For example, a company that sells or provides software to a Covered Entity but does not access or ingest PHI would not be subject to HIPAA. Consumer digital health tools built on cash pay revenue models are also often not subject to HIPAA.
Just because your company is not required to comply with HIPAA does not mean you are in the clear. There are other state, federal laws, and international laws and regulations that may be applicable.
FTC Section Five. For example, Section 5 of the Federal Trade Commission prevents “unfair or deceptive acts or practices” which can include a failure to honor commitments in company privacy policies or to adopt reasonable security safeguards. Although the FTC does not have the authority to issue monetary penalties, they have the power to issue injunctive relief which can effectively shut down a company if they do not adhere to reasonable data privacy and security standards. For example, the FTC recently exercised its Section 5 authority to shut down the company SpyFone, ban its CEO from participating in the surveillance business, and ordered the company to delete all stolen data.
State Privacy Laws. Individual states also have their own privacy laws and regulations which may trigger duties and responsibilities separate from the Federal laws listed above. For example, California enacted the California Consumer Privacy Act (CCPA) which applies to businesses who either have $25 million or more in annual revenue, possess the personal data of more than 50,000 “consumers, households, or devices,” or earn more than half of its annual revenue selling consumers’ personal data.
GDPR. If your business stores or processes personal data of EU residents, your business may also be subject to the General Data Protection Regulation (GDPR). The GDPR is a comprehensive general data privacy regulation that comes with a long list of requirements related to data storage, processing and consumer privacy rights. The penalties for violating the GDPR can be significant, so it is crucial to be aware of the requirements for compliance if your business has a presence in the EU.
(Learn more about how privacy laws impact your digital health business in this info-packed webinar.)
What your healthcare business gains from strengthening privacy protections—and risks if you continue substandard practices
There are significant risks associated with maintaining a substandard data privacy and security infrastructure for your company. The healthcare sector is the most vulnerable to cyberattacks and data breaches, accounting for nearly half of all data breaches. Not only has the incidence rate of data breach gone up (it spiked 55% in 2020), the average cost per breached healthcare record also increased, rising from $429 to $499 in 2021, meaning that these frequent events are more costly to businesses than ever.
The most obvious risk that sensitive data in your control becomes compromised in a breach or cyberattack. These events can be catastrophic for a company depending on the extent and severity of the breach and the speed at which the company responds to these incidents. For example, noncompliance with HIPAA can result in severe penalties, ranging from $100 to $50,000 per violation depending on the level of negligence. The most egregious violations can also result in criminal charges and jail time. Just last year a health insurance company received a nearly $7 million fine for HIPAA violations, with authorities citing systemic neglect including failure to conduct a risk analysis, implement risk management, or put audit controls in place as the root cause. In addition, HIPAA violations by Business Associates can be the basis of breach of contract claims, resulting in monetary damages, and often cancelation of lucrative contracts.
As mentioned above, violation of the FTC Act can mean a complete halt of business operations and violations of GDPR can mean significant fines and penalties. For example, Amazon’s July 2021 earnings report recently highlighted a staggering $877 million dollar GDPR fine - due in part to the company’s failure of obtaining consent for cookies on its website. The monetary damages can be staggering and potentially enough to fold a company. One in five small businesses fall victim to a cyberattack and of those, 60 percent go out of business in six months.
Another business risk associated with these cyberattack incidents is reputational damage, including loss of current and potential customer goodwill and trust, which in some cases can threaten a company’s future more significantly than breach-related monetary penalties in the long run.
You don’t want to be the digital health version of Equifax, a company whose Buzz Score -- an indication of how negative or positive people feel about a brand -- fell 33 points in the first 10 days after the hack was publicized.
In a constantly evolving privacy landscape, being ahead of the game or anticipating potential trends in data policy can help avoid significant business risks. It can also give your business a competitive advantage in the increasingly saturated digital health market. Larger digital health customers like hospitals and self-insured employers are increasingly requiring a demonstrably compliant privacy and security infrastructure as a minimum threshold for engagement.
And that's what we’re going to talk about next.
What 3 practical steps your business can take now to enhance data privacy and security infrastructure
Get ahead of the law
The nationwide focus on privacy law and regulations has exploded in recent years as a result of our increasingly digitized world. Many states have proposed and are starting to implement their own specific privacy laws – some of which provide more stringent requirements than the Federal laws outlined above.
These policies are changing so rapidly that it can be difficult to keep up with every new change and it may be overwhelming for companies to navigate. We know—this is one of the services we offer to clients when they add us to their internal privacy teams.
One important thing your business can do is to anticipate these changes in advance and build your company with privacy and security embedded into the foundation of your business. This is especially important for new digital health businesses—It is easier to create these protocols at a company’s inception than to break and rebuild later. The concept of privacy by design can be implemented into your business model by ensuring that your company promotes visibility and transparency in how data is collected and used, always keeping the user in mind. Businesses should commit to providing end-to-end security and consider privacy throughout the entire device or application life cycle, from collection through deletion, and proactively mitigate any potential privacy risks.
If your company is already well established, there are still plenty of opportunities to improve system processes, policies, and protocols. Requirements consistently change and may differ from state to state. One way to be proactive about these changes is to check in with your internal privacy team monthly and constantly monitor, assess, and reevaluate your privacy and security infrastructure to determine whether any changes need to be made. At Nixon Gwilt Law, we outline a business risk overview for each client and provide frequent updates in response to new regulations as they impact the business. This way clients always know at a glance what needs to change and when so they don’t interrupt business flow and revenue. We can also answer questions like “Do I need to get a SOC II audit? “As I expand my business, what new State or international privacy laws will apply?” and “How do I respond to my customer’s data security questionnaire or Information Security Agreement (ISA)?”
Prioritize high-efficiency areas
Digital health companies are stretched thin given the incredible spike in demand for virtual care services, and there may be limited resources to comprehensively overhaul privacy and security infrastructure. So it’s important to be strategic about the investment. As a digital health leader, you’ll want to understand and evaluate which laws apply to you, where your gaps are, and what mitigations you need to implement. Then, you can make strategic decisions about which mitigations are needed in the immediate and long term. Focusing on high yield areas can help your business more efficiently allocate its resources while still making tangible improvements to your privacy infrastructure and significantly reducing your risk of breach. One of the most valuable services we provide clients is helping them understand what they need to do to remain compliant, what they can safely put off, and what can be completely ignored based on their type of business.
Preventative measures are the cheapest and most effective way to help your business in the long run and a major part of prevention is understanding the potential for problems. We cannot emphasize enough the importance of monitoring the field for updates in privacy laws and regulations. Routine monitoring and regularly conducting risk assessments for your business can help flag issues that may not be readily apparent at a cursory overview.
Focus on the frontline—your frontline workers, that is
Your people can be your greatest privacy and security risk. You can have the best infrastructure in the world, but still be susceptible to breach through employee phishing scams, loss of unsecured personal computers containing healthcare data, or other failure to adhere to established protocols. For example, more than half of all healthcare data breaches in 2019 were a result of employee phishing attacks. The most secure companies do more than simply training their workforces to understand and implement privacy protocols—they truly invest in a culture of compliance.
Some practical steps your company can take to embed privacy into the employee life cycle is to create clear employee operating policies, consistent training, and continual HR and executive reinforcement. Investing in your frontline will pay off in more ways than one and can be critical in encouraging employees throughout your business to take ownership of protecting privacy.
Why healthcare businesses rely on privacy experts to support their efforts
At the end of the day, maintaining adequate data privacy and security are concerns for any business but are especially critical in the healthcare sector due to the quantity and sensitive nature of data collected.
The legal and regulatory framework for data privacy law can be complicated and difficult to navigate and the risks of noncompliance can be astronomical.
“If you think compliance is expensive, try non-compliance.” — Former US Deputy District Attorney Paul McNulty
Many new companies don’t know where to start. And established businesses may not know what they need to fix or update over time.
Nixon Gwilt Law helps both types of companies through a comprehensive assessment of company privacy practices and existing infrastructure, ensuring privacy policies and terms of use are compliant with the most recent regulations. We also advise companies on changing state and federal requirements as they expand to different geographic markets.
If you’re worried about your company’s exposure but not sure you’re ready for a full assessment, then you may want to check out our Digital Health Privacy Exposure Audit.
This low-investment, high-impact service is the Executive Summary you need to better understand what specific privacy gaps or enforcement priorities could impact your funding or partnership opportunities, how to mitigate those concerns, and when you’ll need to address them to keep your plans on track.
Click the blue button below to discover how this impact assessment could help you protect and grow your business.