I’ve been asked multiple times why I don’t use the Ponemon Institute Studies on data breaches in my education or blogs. The answer is both simple and complex. In short, the Ponemon studies factor only cost per record, which isn’t always proportional for small offices such as yours. In fact, according to Verizon, who has done its own study for the last 8 years, “the cost per record is not constant and is inversely related to the number of records.
That means small breaches could have costs that skyrocket into tens of thousands of dollars per reoccur, while very large breaches (millions of records) will have their cost per record drop down to just pennies per record. Therefore, any simple cost per record estimate will greatly underestimate the costs of small breaches and grossly overstate the losses from larger breaches.”
Remember — HIPAA is written to apply to both multi-state hospital chains and solo doctor practices, such as yourself. The risks you have are both similar and very different than a larger organization. That doesn’t make them any less important to be done, but it does mean that you have less time and money to deal with compliance and you need someone with experience to properly vet vendors and identify all of your risks.