Canadian Underwriter
News

Cyberattacks to cost U.S. health systems US$305 billion over five years: Accenture


October 14, 2015   by Canadian Underwriter


Print this page Share

Cyberattacks over the next five years will cost health systems in the United States US$305 billion in cumulative lifetime revenue, suggests a new report from Accenture, a global management consulting, technology services and outsourcing company.

Released on Wednesday, the report, titled The $300 billion attack: The revenue risk and human impact of healthcare provider cyber security inaction,estimates that one in 13 patients – roughly 25 million people – will have personal information, such as social security or financial records, stolen from technology systems over the next five years. [click image below to enlarge]

Roughly 25 million people in the U.S. will have personal information, such as social security or financial records, stolen from technology systems over the next five years

For the study, Accenture used historical security breach data from the U.S. Department of Health and Human Services Office for Civil Rights to project the number of patients likely to be affected by healthcare provider data breaches from 2015 through 2019. Based on medical identity theft information by the Ponemon Institute, Accenture then calculated the number of affected patients who would become victims of medical identity theft and quantified the patient revenue that would be put at risk.

“What most health systems don’t realize is that many patients will suffer personal financial loss as a result of cyberattacks on medical information,” said Dr. Kaveh Safavi, managing director of Accenture’s global healthcare business, in a press release. “If healthcare providers are complacent to safeguarding personal information, they’ll risk losing substantial revenues and patients as a result of medical identity theft.”

Nearly 1.6 million people had their medical information stolen from healthcare providers last year, according to the Department of Health and Human Services Office for Civil Rights. Unlike credit card identity theft, where the card provider generally has a legal responsibility for account holders’ losses above $50, victims of medical identity theft often have no automatic right to recover their losses.

Nearly 1.6 million people had their medical information stolen from healthcare providers last year

Accenture projects that of the patients likely to be affected by healthcare-provider data breaches over the next five years, 25% of patients – or 6 million people – will subsequently become victims of medical identity theft. One in six (16%) of the affected patients – or 4 million people – will be victimized and pay out-of-pocket costs totaling almost US$56 billion over the same time period, the statement said.

Addressing cybersecurity proactively can improve a provider’s ability to thwart attacks by an average of 53%, Accenture research shows. Yet, according to the report, there is a significant gap in how well prepared they are to deal with such inevitabilities.

Accenture recommends healthcare providers take the following cybersecurity measures:

• Assess security capability and identify opportunities: determine where the organization currently stands and the level of resources required to support meaningful transformation;

• Manage complexity and integrate the enterprise: evolve the security program vehicle by establishing an end-to-end enterprise security program and integrate it with existing enterprise architecture processes to reduce complexity levels and produce outcomes valued by the business;

• Become agile: Embrace cloud and other emerging technologies to boost IT agility and reach customers faster and to capitalize on efficiency and cost benefit and do so within risk tolerances;

• Accelerate toward security intelligence: Adapt to handle new threats to the enterprise by developing threat-centred operations by developing a deep understanding of adversaries, their goals and techniques; and

• Develop end-to-end delivery and sourcing: Plan a delivery and operational strategy for each of the security services they offer to make a clear-eyed assessment of internal competencies for designing, building and deploying elements of a cybersecurity program.