Study Reports on Lasting Impacts of Data Breaches
For healthcare organizations, maintaining security and protecting patient information are paramount to successful day-to-day operations. With so many rules and regulations in place to govern healthcare data and protected health information (PHI), providers and payers both are expected to safeguard sensitive information effectively. However, despite this expectation and despite the effort that goes into security and compliance, breaches can and do still happen all the time.
When a data breach occurs, healthcare organizations that are prepared for HIPAA-related incidents will spring into action; while this will help to mitigate some damage, there are repercussions to a breach that it seems many organizations are unprepared for. According to a recent Ponemon Institute study on the impact of data breaches, some of the most unanticipated effects of a breach can also be the most far-reaching.
The study conducted by Ponemon Institute surveyed IT operations and information security professionals, communications professionals, senior level marketing professionals and consumers. Participants were surveyed on their recent breach experience; of the 549 consumers surveyed, 62% reported having been notified by companies or government agencies that their data had been exposed to a breach within the last two years.
Breaches Take a Toll on Reputation
With these stats, it’s obvious: Breaches happen, however much organizations try to prevent them. But despite the regular occurrence of breaches, the Ponemon Institute’s study shows that many organizations are unprepared for the impact a breach has on reputation and share value. In this study, the share values of 113 publicly traded companies were tracked for 30 days before a data breach, and for 90 days after. Post-breach, the average share value dropped by 5%. In addition to the drop in share value, reputation and consumer loyalty was also impacted: 31% of consumers surveyed said that they discontinued their relationships with an organization after it had been breached, and 65% reported a loss of trust in organizations that suffered one or more data breaches.
Breaches are Inevitable: Aim for Complete Preparedness
Like many issues related to security and compliance, the most important step organizations can take is to be prepared for a breach before one occurs: Specifically, have a speedy response plan in place that all organizational members are trained on. In the Ponemon Institute’s study, it found that organizations that responded immediately to a security incident still saw a decline in share value, but that the value was regained after an average of seven days. On the other hand, a breach of organizations with poor security and a slow response time could cause a share value decline lasting for as long as 90 days.
The good news for healthcare organizations
This study also found that consumers trust healthcare organizations the most when it comes to protecting sensitive information. In fact, even though healthcare organizations experience 34% of all data breaches, 80% of consumers reported trusting their healthcare providers to protect sensitive information. In comparison, credit card companies are generally trusted far less: Only 26% of consumers report trusting their credit card company to protect data, despite that fact that only 4.8% of data breaches are tied to credit card organizations.
The takeaway for healthcare organizations
If your organization has comprehensive HIPAA compliance protocols and best practices in place, then responding to a data breach quickly should be second nature. In last week’s blog post, we took a look at OCR’s messaging around HIPAA breach response time: OCR’s preference is that organizations respond to HIPAA breaches as soon as possible. And based on the study released by the Ponemon Institute, there’s added incentive to respond to a breach as soon as it’s discovered: It could be what saves your organization’s reputation down the line. Take time to review your organization’s documentation around HIPAA breaches and how to respond. If you partner with a Business Associate (BA) that also interacts with your PHI or other sensitive information, review documentation with them, too, and always be sure that you have a BAA in place to help safeguard compliance. For more information on HIPAA compliance and related standards, download our compliance white paper here. If you’re seeking an online HIPAA compliant fax provider or document management system, contact us today with your questions.