Organizations that mishandle patient data pay dearly for it — in fines, and even more damaging, with their reputations. In the EU last year, the biggest fines for violations of the General Data Protection Regulation (GDPR) added up to €821.54 million, including Meta Platforms, Inc. paying €405 million for processing the personal data of child users on its Instagram platform. In the U.S. last year, companies paid $2.17 million for violations of the Health Insurance Portability & Accountability Act (HIPAA).
The new year started the same way, with data breaches costing big: in January, Scripps Health settled for $3.57 million over a 2021 breach affecting 1.2 million patients; CommonSpirit Health was hit with a class action lawsuit over a ransomware attack and data breach; and Insulet reported a breach that may have compromised the health data of 29,000 of users of its Omnipod Dash insulin pumps.
Just last month, BD posted a cybersecurity bulletin about a vulnerability in its Alaris Infusion Central software that could cost the company $244 million, while Banner Health settled with the U.S. Dept. of Health & Human Services’ Office for Civil Rights (OCR) over a 2016 breach that exposed some 3 million patients' data.
Although these examples differ in their particulars, at root they share a single cause: the failure to consider privacy and data protection from the earliest product design stage.
There’s a difference between privacy and security. Let’s say I offered to build you a house in the middle of New York City, that’s totally secure from thieves, free of charge. You’d live there, right? But let’s say that the house is built of glass – it’s totally transparent. Don’t unpack your bags, because there’s no way you’d ever live without privacy, regardless of how secure the environment is.
Security can exist without privacy, but privacy can’t exist without security. The most robust policies are just pieces of paper if there are no protection mechanisms in place, and with serious consequences at risk, it’s important to lay the privacy groundwork early.
Originally published at Nasdaq.com.