The Best Medicine: Data Protection in the Healthcare Industry

The threat of data breaches continues to grow for the healthcare industry. During the last two months of 2020, healthcare organizations in Canada saw a spike in ransomware attacks, with an increase of over 250%. Shred-it’s 2021 Data Protection Report found that 56% of healthcare organizations surveyed have experienced a data breach and almost a third of healthcare organizations surveyed experienced a data breach in 2021.

This growing threat affects healthcare organizations from a financial and regulatory perspective. IBM’s 2021 Cost of a Data Breach Survey found that data breaches in the healthcare industry cost on average $9.23 million USD ($11.56 CAD), the most expensive of any industry and nearly $4 million more than the average cost of a data breach in the financial services industry, which ranked second. The funds lost to data breach recovery, which includes costs of legal fees, internal and external communications, assessments, and more, could be used to support and recruit healthcare staff, provide better amenities for patients, or even promote hospital sustainability initiatives.

A data breach can also put organizations at risk of potentially violating Canadian Healthcare Privacy Legislation, if personal health information (PHI) is exposed. Most provinces and territories have their own healthcare privacy legislation. In Ontario, the Personal Health Information Protection Act (PHIPA) gives individuals the right to be notified of the theft or loss or of the unauthorized use or disclosure of personal health information. Data breaches can lead to lawsuits, lost patients, and negative press coverage.

Data breaches can threaten not only sensitive patient data but also healthcare employee data. This can damage the trust between healthcare employees and their organizations, which could worsen the current healthcare staffing crisis.

Given the high financial and legal stakes of a data breach in the healthcare industry, organizations should take steps to help ensure the integrity of the healthcare facility’s private information and protect patients’ sensitive data. According to Shred-it’s Data Protection Report, only 64% of healthcare organizations surveyed have information security policies in place, and only 1 in 3 perform regular vulnerability assessments. However, additional findings from the 2021 Data Protection Report may suggest that healthcare organizations are better prepared to handle a data breach if one occurs because three in five healthcare organizations surveyed have an incident response plan in place to address a data breach. Only 35% of healthcare organizations surveyed in the 2021 Data Protection Report stated that it took a few weeks to resolve their most recent data breach, the lowest of any industry.