Realistic HIPAA security budgets vs. wishful thinking.

By: Tod Ferran
HIPAA is not nearly given the budget it requires to be adequately implemented for complete patient data security. And I’m not just talking about small organizations with limited security budget. Lack of budget is a plague that even affects a large organization’s risk and compliance officers.

I hope this post will give you the information you need to get those budgets boosted, and better secure your entity!

See Also: Five Things to Consider When Making a HIPAA Security Budget

What does the HHS think HIPAA compliance costs?

The HHS gave an interesting estimation (see Table 1) of how much HIPAA compliance would cost after they released the HIPAA Final Rule.

Per organization, they estimated:
  • $80 for an updated Notice of Privacy Practices
  • $763 for breach notification requirement updates
  • $84 for business associate agreement updates
  • $113 for security rule compliance
Grand total per organization: $1,040

In my opinion, this estimate is grossly inaccurate, especially when considering the complexities of the Security Rule. The Security Rule added new 75 requirements and 254 points for organizations to validate to, most of which are quite technical.

For those unaware of what I mean by validation points, here is an example:

164.308 – Acquire IT Systems and Services (1 requirement)
Based on the OCR audit protocol, here are the validation points:
  • Interview management to verify that Policy and Procedures exist (P&P)
  • Determine if the P&P are approved and updated on a periodic basis
  • Obtain and review the documented policy (what is required) and procedure (how we are supposed to accomplish the task)
    • Where are P&P stored? 
How is it disseminated to staff?
    • How do we document staff have read, understand and agree to abide by the policy?
  • Determine if the P&P are approved and updated on a periodic basis
In this one example you can see that this single requirement (1 of 75) has three core validation points (3 of 254) with several more minor validation points.

Looking at the math, at the HHS’ estimated $113 allotted to the security rule, that means only $4 is allowed per requirement. Do you really think healthcare entities could accurately validate to each new security point for only $4 worth of labor/technology/implementation? That’s not even taking into account that you will likely need to add, or at the very least, upgrade some of your hardware and applications.

Variables that affect HIPAA compliance cost

The cost of HIPAA compliance entirely depends on your organization. Here are a few variables that will factor in to the cost of your overall compliance.
  • Your organization type: Are you a hospital, business associate, HIE, healthcare clearinghouse, or another type of healthcare provider? Each will have varying amounts of protected health information (PHI) and varying risk levels.
  • Your organization size: Typically, the larger the organization, the more vulnerabilities it has. More workforce members, more programs, more processes, more computers, more PHI, and more departments means more HIPAA cost.
  • Your organization’s culture: If data security is one of upper management’s top priorities, increasing security costs probably isn’t a major internal struggle. In other cases, management is very hesitant to dish out budgets to HIPAA, because they don’t understand their organization’s security liabilities.
  • Your organization’s environment: The type of medical devices, the brand of computers, the kind of firewalls, the model of backend servers, etc. can all affect HIPAA compliance cost.
  • Your organization’s dedicated HIPAA workforce: Even with a dedicated HIPAA team, organizations usually require outside assistance or consulting to help them meet HIPAA requirements.

The cost of a data breach

To the individuals who believe paying fines after a breach makes more financial sense than paying for the protection of HIPAA compliance beforehand, here are a few data breach costs, fines, and penalties you may not have considered.
  • HHS fines: up to $1.5 million/violation/year
  • Federal Trade Commission fines: $16,000/violation
  • Class action lawsuits: $1,000/record
  • State attorney generals: $150,000 – $6.8 million
  • Patient loss: 40%
  • Free credit monitoring for affected individuals: $10-$30/record
  • ID theft monitoring: $10-$30/record
  • Lawyer fees: $2,000+
  • Breach notification costs: $1,000+
  • Business associate changes: $5,000+
  • Technology repairs: $2,000+
SEE ALSO: How Much Does a Data Breach Cost Your Organization?

When you look at the outrageous sums paid by organizations in violation of HIPAA, it’s obvious the consequences are meant to seriously hurt those who don’t adequately protect patient information.
So, how much does HIPAA compliance cost?
Before I answer that question, let me pose another. Do you know what you’re actually paying for when you outsource HIPAA compliance?

If you are a large provider, you’ll probably benefit most from an onsite HIPAA compliance audit. Security experts examine your organization for security risks, provide guidance as you remediate any problems, and consult on the implementation of any outstanding HIPAA requirements.

Your onsite auditor should work with you to complete both your HIPAA risk analysis and risk management plan. Learn the pros and cons of a HIPAA audit here.

If you don’t have the budget for an onsite audit, you’ll need to find a HIPAA expert to help you get through the risk analysis and risk management plan process. Look for an expert who offers great technical support when you have questions. Experts will likely recommend you receive external vulnerability scans to find weaknesses in your systems, and hire penetration testers (ethical hackers) to test your system. If you haven’t already, you’ll likely need to purchase HIPAA policy templates and start your employee training.

Taking all the above into consideration, and remembering that this estimate I’m about to provide is completely dependent on your organization, here’s how much HIPAA compliance should cost your entity:

If you are a small covered entity, HIPAA should cost:

  • Risk Analysis and Management Plan ~$2,000
  • Remediation ~ $1,000 - $8,000
  • Training and policy development ~ $1,000-2,000
Total: $4,000 - $12,000


If you are a medium/large covered entity, HIPAA should cost:

  • Onsite audit ~ $40,000+
  • Risk Analysis and Management Plan ~ $20,000+
  • Vulnerability scans ~ $800
  • Penetration testing ~ $5,000+
  • Remediation ~ Varies greatly based on where entity is today in relation to compliance and security
  • Training and policy development ~ $5,000+
Total: $50,000+, depending on the entity’s current environment


Conclusion

Ignoring HIPAA, or going after it half-heartedly is a recipe for disaster. As an industry, healthcare is far less secure (by about 10 years) when compared to the retail world. Think about Target, Home Depot, PF Chang’s, and others breached in 2014. Do you realize that health data is worth 20 to 50 times more than credit card numbers?

There are some serious risks to patient data that has been entrusted to you. As a health care provider, you have a responsibility to secure and protect your patient information. It’s time to stop putting HIPAA off, looking for excuses, or claiming that you don’t have the budget to protect your patient information. It’s time to start securing that data by becoming HIPAA compliant.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.


1 comment: