You collect data. And they are incredibly valuable — 10 time more valuable than the type of data thieves swiped in big-name data breaches at Home Depot or Target.

They are risky, too.

You have identifying details, including Social Security numbers, addresses, birthdates, medical info, next of kin info and other information that could be used to build an identity, even if hackers only obtain some of the data. In the wrong hands, those data could result in financial ruin to you, your residents and their families.

When you consider that 61% of cyber attacks in 2016 targeted small businesses, you see that size doesn’t matter. Neither does your level of sophistication; paper records are equally as risky as records that reside on a computer or are stored in the cloud.

The problem is simply that you collect data, and it adds up to a huge financial risk for the following reasons:

  1. In healthcare, you’re bound by law to keep data secure. Fines associated with HIPAA breaches can vary widely depending on the type, quantity and reason records were breached. For example, in 2017, the Department of Health and Human Services announced it had reached a settlement of $2.5 million with CardioNet after a single laptop with 1,391 personal health information records was stolen from an employee’s car. Higher fees and punishments — and criminal charges — for individuals involved tacked on by states aren’t out of the question either. Although a low-level fee with fine may cost as little as $100 for a single incident, legal fees and the long-term effect of a breach can drive that cost much higher.
  2. Your customers assume you’re keeping data secure … and accessible. Although “data security” itself may not be a selling point, a data compromise is a fast way to drive customers away. Last year, security firm Gemalto surveyed more than 10,000 individuals worldwide and found that 67% of consumers would stop doing business with a company that experienced a data security breach, and a whopping 93% also would consider legal action against the company that allowed their data to be compromised. In addition to a potential loss of future business, day-to-day operations can be halted, too. A ransomware attack on the National Health Service in the United Kingdom resulted in affected healthcare organizations being unable to gain access to patient health records until a fine of more than $500,000 fine was paid.
  3. You’ll have to pay to fix the problem. Whether the cyber attack comes in the form of ransomware or a data compromise, fixing the problem always is costly. Healthcare data breaches, in fact, are more costly than data breaches in other industries, totaling an average of $402 per record compromised, according to information released by the Ponemon Institute in 2017. Costs frequently include ransom payment, defense of related lawsuits and settlements, incident response and the actual repair of the problem. Costs not factored in include future training, process and system updates, public relations mitigation and prevention efforts.

There are several proven actions you can and should take to reduce the risk of a data breach at your senior living community, including training employees on data risks and proper data-handling procedures, updating passwords, running data breach drills and more, but the key word here is “reduce.” It’s not “eliminate” — with 91% of healthcare organization reporting an attack on data in the past two years, no matter how iron-clad your prevention efforts, you won’t eliminate the risk, which means it’s almost guaranteed that your facility will be affected by a data security breach.

That’s why it’s smart to have a plan in place to protect your facility from a disastrous fallout. Include the following:

  1. Invest in a designated cyber insurance policy to reduce the costs of fixing the problem, whether it’s a ransomware situation or stolen data. A technology clause on your facility’s insurance policy won’t cover cyber theft.
  2. Connect with a cyber forensics team as soon as possible to determine what data were compromised and to start the process of repair. Your cyber insurance agent should help you assemble a team to find the problem and stop the data leak. Call your agent as soon as a breach occurs.
  3. Get in front of the problem with a PR announcement. Again, turn to you your cyber insurance agent for assistance, because he or she already should have worked with your team to establish a course of action before the breach.
  4. Contact victims of the data breach as early as possible and tell them what information was compromised and the steps to prevent it from happening again.

Today, it’s less of a matter of whether you’ll have a data security breach and more of a matter of when. But if you take steps to mitigate the impact of a breach, then you can recover.

Kyle Taylor is a client adviser at Buckner with more than 15 years of experience in the senior living industry. Reach him at ktaylor@buckner.com.