A new study released on May 7, 2015, by the Ponemon Institute revealed that criminal cyberattacks on health care organizations were the most prevalent cause of data breaches in 2014.  The report underscores the need to think “beyond HIPAA” and to prepare accordingly to address the risks of data breaches, which more than 90 percent of health care organizations experienced last year.

The Institute estimates that data breaches cost the health care industry $6 billion in 2014, or more than $2 million per organization.  In the event of a cyberattack, liability for directors and officers of companies could arise, especially if they did not engage in adequate preparedness activities.

Cyberattacks also represent a critical, high-stakes risk for companies’ reputations—a harm that is typically not covered by insurance. The majority of organizations do not believe that their incident response plans have adequate funding and resources, and the majority fail to perform certain kinds of risk assessments.

The report makes it clear that health care breaches are on the rise, and there is significant room for improvement when preparing to avoid an otherwise inevitable breach. Companies should consider the following six key elements of an effective cybersecurity risk management program:

1. Understand what health care data are targeted and evaluate health care-specific risks.

2. Know where your data reside.

3. Ensure that security protections reviewed by regulators meet or exceed industry standards.

4. Identify third parties with access to your data, limit access scope, and address privacy and data security risks through careful contracting.

5. Mitigate risks where possible.

6. Establish and test your incident response plan with outside counsel.