Healthcare Privacy and Security Spending Thought Experiment!

(This article was originally posted on June 8, 2024, on my Enabling Board Cyber Oversight? blog series as Healthcare Privacy and Security Spending Mind Experiment! )

Introduction

In a recent post entitled Heads Up! Massive Increase in Proposed FY2025 OCR Budget: Focus on HIPAA Enforcement and Risk Management , as in the title, I wrote about the "whopping" proposed increase in the Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) 2025 budget. "Massive" and 'whopping" are a bit of a joke given the small amounts involved… an increase of $17 million from the FY2024 final budget. $17 million is a rounding error when considering the approximately $5 TRILLION spent on healthcare per annum in the U.S. ???

Most Cyber Attacked, Least Cyber Resilient, Woefully Underfunded Sector

Notwithstanding attack after attack, response failure after response failure, and what must amount to much more patient harm occurring than is being reported, most healthcare and public health critical infrastructure organizations continue to underwhelm their privacy, security, and cyber risk management investments.

Spending Thought Experiment

Can we eke out of that $5 TRILLION (~20% of U.S. gross domestic product) a bit of money for privacy, security, compliance, and cyber risk management?

I think so. Try this thought exercise with me…

First, some data:

• According to a recent WSJ article, the U.S.'s per capita spending on healthcare is $12,555.30, more than any other country in the world, and it beats the paltry $8.049.10 spent by the Swiss.
• The U.S. Census Bureau estimates the population of the United States to be 335,893,238 on January 1, 2024.
• DHHS has been fighting fraud, waste, and abuse (FWA) in healthcare for years. Some estimates are as high as 30% to 40% of our yearly healthcare spending.

Whether sourced from (FWA) or rationalizing our seemingly out-of-control per capita costs, what if we could redirect dollars ($$$) to privacy, security, compliance, and enterprise cyber risk management?

• Find and redirect $1.00 from $12,555.30 => Boom! $335,893,238 per year!
• Find and redirect $10.00 from $12,555.30 => BOOM! $3,358,932,800 per year!
• Find and redirect $100.00 from $12,555.30 => BOOMIE! $33,589,323,800 per year!

Conclusion Actions to Take Now

Remember, I described it as a thought experiment. Of course, there's no practical way to wave our hands and capture that $1, $10, or $100 across the healthcare ecosystem.

Not to discourage anyone from going after that $1, $10, or $100, there are several actions we can take to fund our cyber risk management efforts better.

The educational content and actions recommended in Chapter 8, Fund Your Enterprise Cyber Risk Management (ECRM) Program in Stop the Cyber Bleeding are worth reviewing. Pick up a copy of Stop the Cyber Bleeding today.