KPIs to Drive Healthcare Incident Response Planning
- A guide to privacy benchmarking for C-suite
- Actionable KPIs to improve incident response
- Free fill-in-the-blank benchmarking infographic
Read more below.
Healthcare Incident Response Planning
In order to make the case for increased funding, resources, and awareness around your privacy programs, you need proof to share with your stakeholders. Developing KPIs and measuring against industry benchmarks is a clear indicator of privacy program maturation. In fact, 90% of organizations report privacy metrics to the C-Suite and Boards. Your organization’s Board and C-Suite need to see clear and visible reporting around vulnerabilities and risks, and paths to improvement — this can all be done leveraging privacy benchmarks.
The need for mature privacy programs is paramount, especially as data breaches are costing the U.S. healthcare industry an estimated $6.2 billion per year. Learn more via the recent Privacy Incident Benchmarking and KPIs webinar, available on demand. Panelists — Mahmood Sher-Jan CHPC, CEO and founder RadarFirst, Jay Cline, Principal, PwC, and Michelle Wraight CISM, CRISC, Director, Global Head of Privacy Automation, BNY Mellon — share their insights about the importance of communicating with management, educating them about incidents, and gathering privacy metrics and reports.
Proof: Assessing processes and practices
With increasingly complex privacy regulations and challenges facing the healthcare industry — and as privacy regulations have expanded in both definition and scope — protecting patient health information has become increasingly challenging. Assessing your organization’s processes and practices through benchmarking can help your organization improve performance by comparing against the industry’s practices.
Benchmarking makes it easy to:
- See how you stack up against your competitors
- Identify where you can improve efficiency and effectiveness,
- Track your progress,
- Learn where there are issues or potential problems
- Assess the overall quality of your efforts
Benchmarking is especially important for the healthcare industry, with so much at stake and so many moving parts. In addition to making people well — a major undertaking! — healthcare organizations are also responsible for managing patients’ sensitive personal information and adhering to strict (and enforceable) data security and privacy regulations; each with potentially severe penalties.
Actionable KPIs to improve incident response
Besides providing useful benchmarks for privacy teams to measure against, the 2021 Privacy Incident Benchmark Report yields some surprising facts and helpful best practices that illustrate the value of a data-driven approach to privacy. For the latest insights in incident response and how you stack up in the industry, download the report today.
From data that informs the basics of operational improvement to risk mitigation and emergency preparedness, here are the metrics you can capture to improve and mature your privacy program, and share with the higher-ups:
- The average number of incidents. This is your total number of incidents logged.
- The number of incidents by cause (malicious, non-malicious, unintentional). You’ll see that in healthcare, the vast majority of incidents were unintentional in 2020, at 95.18%. For the latest insights about how you stack up in the industry, download the 2021 Privacy Incident Benchmark Report.
- The number of breaches. Did you know that in 2020, a whopping 93.51% of data breaches were not notifiable, compared to only 6.49% that were? Many people jump to the conclusion that notification is required for every incident. Not so. RadarFirst’s Radar enables you to make the right notification decisions, with a built-in breach guidance engine that helps you make intelligent notification decisions.
- The average number of affected individuals per incident. This is the buckets of individuals affected multiplied by the percentage of incidents that fall within the buckets. Radar metadata indicates that 90.33% of incidents affected only one person, with less than one percent affecting 100 or more individuals.
- Incidents by type (paper, electronic, verbal/visual). The majority of privacy incidents in healthcare are electronic, yet paper-based incidents are still significant. We found that 21,453 of incidents in healthcare were electronic-based in 2020 and 8,906 were paper-based; this is based on aggregated statistics from our intelligent response management platform.
- Percentage of incidents caused by third parties. Our findings show that out of assessed incidents, the percentages of incidents that were from internal vs. external sources are about the same: 93.69% vs. 94.44%, respectively.
- Timeline from detection to risk assessment. In the healthcare industry, did you know that it took an average of 426.3 hours from the discovery of the incident to assessment?
- Timeline from risk assessment to notification. It took an average of 171.7 hours from the time of the incident assessment to the first notification, based on our findings.
- Your Board wants the data. Imagine if you could easily gather metrics that outline your organization’s privacy risks, incident risks (low, medium, high), and incident response timelines. Once again, we look at our findings; in healthcare, 85.12% of privacy incidents were assessed as a low risk in our intelligent response management platform.
Using what you’ve learned from industry benchmarks you can now begin to compare the growth of your business processes against your own internal data. To make a case for how Privacy can reduce business costs, promote efficiency, and build ROI, download our fill-in-the-blank benchmark report and access privacy maturity 301 resources to take your program to the next level.
You might also be interested in:
Topics: Benchmarking Series