Why data breaches are increasing, and 6 ways companies can avoid them

Organizations that mishandle patient data pay dearly for it — in fines, and even more damaging, with their reputations. In the EU last year, the biggest fines for violations of the General Data Protection Regulation (GDPR) added up to €821.54 million, including Meta Platforms, Inc. paying €405 million for processing the personal data of child users on its Instagram platform. In the U.S. last year, companies paid $2.17 million for violations of the Health Insurance Portability & Accountability Act (HIPAA).

The new year started the same way, with data breaches costing big: in January, Scripps Health settled for $3.57 million over a 2021 breach affecting 1.2 million patients; CommonSpirit Health was hit with a class action lawsuit over a ransomware attack and data breach; and Insulet reported a breach that may have compromised the health data of 29,000 of users of its Omnipod Dash insulin pumps.

Just last month, BD posted a cybersecurity bulletin about a vulnerability in its Alaris Infusion Central software that could cost the company $244 million, while Banner Health settled with the U.S. Dept. of Health & Human Services’ Office for Civil Rights (OCR) over a 2016 breach that exposed some 3 million patients' data.

Although these examples differ in their particulars, at root they share a single cause: the failure to consider privacy and data protection from the earliest product design stage.

Privacy by design

There’s a difference between privacy and security. Let’s say I offered to build you a house in the middle of New York City, that’s totally secure from thieves, free of charge. You’d live there, right? But let’s say that the house is built of glass – it’s totally transparent. Don’t unpack your bags, because there’s no way you’d ever live without privacy, regardless of how secure the environment is.

Security can exist without privacy, but privacy can’t exist without security. The most robust policies are just pieces of paper if there are no protection mechanisms in place, and with serious consequences at risk, it’s important to lay the privacy groundwork early.

Here are 6 ways for companies to avoid costly, damaging data breaches:

1. Ensure that privacy is part of the design of the entire business line, as a default. When beginning the design process for a product, be sure to consider which regulations apply to the data that would be collected and design systems accordingly to enforce those policies.
2. Design technical controls to make data safer. Controls such as data obfuscation – masking data to de-identify it – and a decentralized architecture of microservers ensures data protection in the event of a breach. Localize where possible.
3. Plan for the long term. Make sure to consider what happens to the data over the long term – what consents and agreements do you have before you archive data or purge from your system? How? How do you on-board and off-board patients? Answering these questions early can forestall lots of grief later.
4. Compliance requires a team approach. Ensuring the end-to-end lifecycle of the product necessitates that privacy, security and regulatory teams act in concert from the start. It’s impossible to effectively reverse-engineer privacy into a product after a breach.
5. Ongoing compliance means staying current. The regulatory landscape is constantly evolving, so it’s crucial to keep up to date on changes that affect your product.
6. Buy vs. build. Creating a digital solution entails meeting the regulatory requirements for ensuring patient data privacy and security. Companies can share that risk by working with a third-party vendor with a proven track record of safely managing data and ensuring compliance over the product’s entire lifecycle.

^{Originally published at Nasdaq.com.}