This week on the HIPAA Vault Show we talk about how much a healthcare business should be spending on cybersecurity. We discuss the different cost areas and how to determine the best investment for your organization.
Transcript:
Adam
Hello and welcome to the HIPAA Vault show, where we discuss all things HIPAA compliance in the cloud. My name is Adam Zeineddine. I’m joined, as always, by the CTO and founder of HIPAA Vault, Gil Vidals. Hey, Gil.
Gil
Hey. I’m ready to go today.
Adam
Yeah, I’m ready too. Last week we talked about API management and HIPAA compliance. This week, we’re going to talk about how much healthcare companies should be spending on cybersecurity. Emphasis on the word should be there. So, as a brief intro, when it comes to cybersecurity, there’s no one size fits all budget. Of course, for healthcare businesses, the amount spent can vary based on factors like organization size, the types of data that’s being handled, specific cybersecurity risks. But today, we’re here to discuss at a high level and then dive a little bit deeper the key cost areas every healthcare business should consider. So let’s take a closer look. In terms of high level overview, we found some research on the budgeting and according to Hims Analytics, healthcare organizations in the USA typically spend between 4% to 7% of their annual revenue on It. So 4% to 7%, according to Him’s Analytics.
Adam
And this percentage, of course, is the general It budget. It includes expenses related to hardware, software, personnel, infrastructure, cybersecurity, and other related services to It. Then if we dive deeper into the cybersecurity portion of that research also from Him shows that budget of 6%, roughly of that It budget is spent on cybersecurity. So if we break down and let’s just say a fictitious company that has a revenue of 1 million a year, it’s likely spending 60,000 on It, $60,000 a year. And of that just under 4000, 3600 a year on cybersecurity. Now, that is what’s actually happening in terms of Him’s Analytics of existing companies. They researched hundreds of healthcare businesses. Maybe Gil, first of all, if you could comment on that research, is there any surprises there? And then also maybe we’ll move from what is actually happening to maybe recommendations in terms of what should be the spend and then moving towards what areas that spend is allocated to.
Gil
Yeah, the amount spent is an important one because the smaller the business, usually they have a much tighter budget and it’s challenging, right, to spend on another shiny technological toy that the It guy is asking for. But in this day and age, the healthcare providers, I think, need to understand what’s at risk. So let’s say the healthcare provider or the medical office decides to say, well, we don’t want to pay for that. So what’s happening is that if there is some kind of a breach and there’s a patient records are leaked out, the average cost a few years ago is about 250 per year per patient record. And you have to pay basically for identity management. So every patient who had their record compromised, you have to buy them a $250 a year plan where they can have this identity theft alerting system that lets them know if someone’s using their individual and private information out there on the Internet.
Gil
And as you can imagine, if you had even 1000 records taken and you paid 250, the first year it’s 250,000 and the next year another 250, you’re at 500,000. Like that right, you barely had a little breach and boom, you’re at half a million. So you need insurance and you have to consider I need it security tools because I’d rather pay that slowly over time rather than getting hit with a $500,000 bill. So always keep that in mind because sometimes we get too much caught up in the moment, like, well, I don’t want to spend that $3,000 a lot of money. Well, in the context of the potential risk, that 3000 seems like the pittance you have to kind of balance that. So I think that kind of puts it in perspective.
Adam
Yeah, I see your point there. And then also, I guess in the case of a breach, probably what this research isn’t showing is that the legal costs probably are factored into that if there is a breach.
Gil
Yeah, you’re right. What I described is just the identity management tool that you have to subscribe to for each one on behalf of each one of your patients that have their records stolen. But yeah, you have your attorney fees that can easily mount up. Most attorneys charge between three and $400 now per hour. So you’re looking at least 20, $30,000 right off the bat. Yeah.
Adam
So we mentioned their insurance as being a key part of cybersecurity. There any other areas to look out for?
Gil
Yeah, I think the regulatory, compliance and regulatory is a good one too. So for medical offices, they should have a compliance platform. And we like the Compliancy group, that’s a good one. There are others, there’s high Trust compliance group, I don’t know if I can’t remember a third one, but the compliancy group, I know that they will help by having a coach, a compliance coach available to the end user. And it’s a few thousand dollars a year. Because you have a company that’s an expert in this and they’ll make sure that if you get audited, that you have all your records in place, all your policies and procedures in place, that you have the training for each employee, and you keep logs and they will watch that and they’ll help you. So once a year you could talk to them on the phone. They’ll go through everything.
Gil
So if you were to get audited, you’d have peace of mind that when the auditor comes in with their little checklist and say, show me the logs of your training for all your staff. And you’re like, what training and what log? You don’t even have that right. That looks really bad. So if you have compliance group or somebody like that, they will make sure you have all those records, by the way. I know they have a good track record as well. If you’re using their systems, you don’t get fined by the auditor, right. You’re going to come away with, hey, you’ve done a good job. And even if you’re deficient, I think this is an important point. Even if you get audited and you don’t have a perfect score, the idea is the auditor is going to say, well, you did your due diligence, you were working the system, you weren’t negligent, you pass.
Gil
Even though you have certain gaps, certain things that you weren’t doing properly or completely, that’s just notated and then you get a chance to rectify that. But that means you have to have a plan, though. If you have zero plan, then that’s when you’re really going to be hurting because that’s considered negligence.
Adam
Okay, so that’s on the documentation framework side of things. What about boots on the ground and the battlefield? That is cybersecurity? Is there any kind of services that can be employed to kind of battle, harden or test that security posture which you planned on implementing?
Gil
Right, well, our customers at Hipovall, we have a couple of different types of customers. Really three different kinds. But the healthcare developers, so we have a lot of customers that are healthcare app developers, they’ve developed maybe a scheduling program that can be used by an office, or maybe they’ve developed some add on to an EMR system or whatever. You can imagine there’s a million different kinds of apps. Those kind of clients, they’re not in their medical office, they’re not handling patient information directly. They’re selling their app to a hospital or to a medical office, and then they’re using that app. So for those kind of customers, it’s important that we, as their provider for the website and their web data, they want to know that we in the cloud, have a really top notch security team and we have top notch security tools and all of that.
Gil
So that’s one way to look at it, and we can help them with that. But on the other side are customers who are working in medical offices, hospitals, and they should be testing using some kind of pen testing, third party testing once a year to make sure that everything is protected adequately. And inevitably, in those tests, you’ll find vulnerabilities and they have to mitigate, they have to document and mitigate those.
Adam
So penetration testing, could you elaborate on that a little bit? What goes into it?
Gil
Yeah. So when you have testing, typically you have some kind of a scan. Let’s say you pay for a scan, either your own scan or you pay company that scans your website, maybe they scan your office IP. If you have a medical office and they basically report, they come back to you and say, hey, we found these vulnerabilities, we found these weaknesses. So that’s kind of a base level that’s not terribly expensive. The next level after that is to get a Pen tester. Pen tester is an actual human being, whereas the scanner is just a machine or a software that scans and then you have a report and you have to pay for that. But the Pen tester is literally a person, they are experts and they will take the report or create their own report, a scan report, and they’ll say, hey look, I found these weaknesses.
Gil
And then they try to push through those weaknesses. They literally try to hack through, exploiting the weaknesses and maybe reaching in and showing you, hey, I was able to get some of this data. And so they’re able to exercise and try out these exploits and then they can really tell you for sure you have something that I could exploit that’s much more expensive because that industry of the white hat versus black hat, these hacker guys that are hired to do these Pen testing, they charge a lot. So unfortunately that piece of it is pretty expensive. Do you need to do that? Well, depends on the risk that you’re willing to take. If you’re a big hospital organization that has multimillion dollar organization, you probably do want to spend that kind of money. If you’re a small medical office, you may not want to do that.
Adam
Yeah, let’s say the healthcare organization has got the compliance group on board. They’ve got a framework in place. They’ve hired a Pen tester to test where they’re currently hosting their environment. And the Pen testers come back saying, hey, you’ve got all these holes. What would you recommend in terms of a company that maybe has limited It resources themselves to remediate the vulnerabilities? What would be a solution there?
Gil
Well, if you get kind of a bad report card and you’re like, oh my gosh, I have all these problems. Yeah, I think one thing I would recommend right off the bat is if you get the report and you’re scratching your head, this whole it mumbo jumbo lingo that you’re like not even sure, but you have to put some red X’s all over it, like, oh my gosh, what does this mean? And how bad is it? I would really recommend migrating your services to technical services, to a platform in the cloud I would get away for because it used to be if you work back ten years, it used to be people were like, there’s no way I’m going to the cloud, it’s safer here. Well, that’s now flipped. By that I mean that it’s unsafe to have things in your office. It’s not nearly as safe and secured as in the cloud, say, well, how can that be?
Gil
Well, the cloud and technology has advanced very fast and the security tools available in the cloud are much better than the ones that some medical It guy is going to be able to handle on his own. One guy or two guys versus people like Google for example, they hire thousands of PhDs, you can’t compete thousands of PhDs with a couple of tech guys with sneakers on the ground coming into your office. So move things to the cloud as much as you can. And what do I mean by that? Well, your phone system, your voice over IP that could be in the cloud, your texting patient that’s in the cloud. Your document system that’s in the cloud. You could use SharePoint for Microsoft or Google Docs workspace, all of that can be pushed to the cloud. Pushed to the cloud. Pushed to the cloud. Why does that matter?
Gil
Well, imagine you’re shrinking your footprint, your attack surface footprint is shrinking and shrinking and shrinking. So that means the bad boys that are trying to hack in, they don’t have much to attack because maybe you have, maybe you end up with hardly anything in your office at all. You have a fax machine there and that’s about it, right? Everything else, even fax you could put in the cloud. Yeah.
Gil
So everything you have, you should really be getting rid of it in your own office again. Why? Because the technology available for offices, this is generally speaking, is going to be inferior in terms of security, not performance. You might say, oh, but I like this tool I have, it works great. We’re not talking about performance, we’re talking about security. And by the way, in the cloud, things do perform very well. It’s very fast, it’s not slow. Your accounting system, in the old days, accounting systems were also sitting at someone’s desk. Not anymore. All the accounting systems are in the cloud. So virtually everything you think of should be in the cloud. And in that way I think you’d have a real peace of mind. So that would be one thing I think I would focus on right away.
Adam
Okay, so moving to the cloud and then so I’m in the cloud. What next? I’m assuming that it’s not secure just by default, right? There’s probably certain configurations, yeah.
Gil
We only have so much time on this podcast, but yeah, essentially once you want to pick one of the big cloud providers. So who are those? Well, there’s only the big three, right? I guess there’s four if you consider Oracle, but the big three are Microsoft Azure, then you have those of you that are into Outlook or Office 365, that would be your choice. Then there’s AWS and then there’s Google cloud. I guess the difference is AWS doesn’t have their own document platform. By that I mean they don’t offer email, they don’t offer documents and stuff like that. That’s just Microsoft and Google. So probably those two would better for your medical office. Then you can get the full suite of products from either one of those.
Adam
Right.
Gil
If you want to use their website platform, you want to use their documents and encrypted email, you have all of that there. So probably those two would be the first choice. If you’re a healthcare app developer, though, you don’t have a medical office, then which platform do you choose? Well, they’re all three pretty good, so any one of those three is probably pretty good. At Hippovault, we favor the Google Cloud because we feel they have an edge with their zero trust security platform, we think that’s got as an edge. They’re all pretty good.
Adam
That’s fantastic. And yeah, like you said, if you would like to dive deeper into more information about how to move to the cloud, what needs to be in place in order to move to the cloud, or if you just like some help and expertise and advice, feel free to visit us@hipwall.com and we can assist you there. So, Gil, thanks for that. Just to summarize a little bit when it comes to It budgets and how much to spend on cybersecurity, while there’s no fixed percentage or amount for cybersecurity spending, some industry experts recommend allocating between 5% to 10% of their overall It budget to cybersecurity. And this is a percentage is increasing as the more security vulnerabilities advance. In this day and age, however, this figure may vary based on the specific risk profile and the needs of your organization. Ultimately, it’s essential to strike a balance between the level of risk your business can tolerate and the resources that you have to allocate towards mitigating the risks.
Adam
And investing in robust cybersecurity measures is crucial to protecting sensitive data, especially HIPAA data, to ensure HIPAA compliance and maintain the trust of your patients and stakeholders. So that’s it for this episode. If you have any questions, you can email us at podcast@hipaavault.com or tweet us at @HIPAAhosting. Make sure to subscribe and leave us a review if you enjoyed this episode. Until next time, thanks for stopping by.