September 19, 2016|Michael Janeiro
Experts in the field of cybersecurity insist the world is in the midst of a cybercrime era. Nobody knows when or even if this era will diminish to the point where it’s not a challenge to the day-to-day operations of every business, government agency, nonprofit organization, and institution.
What is generally agreed upon is that trying to prevent and ultimately dealing with the aftermath of data breaches are now standard costs of doing business.
No matter whose study you review on the risks to your organization’s Personally Identifiable Information (PII) and Protected Health Information (PHI), the results show an increased risk of breaches related to hacking and an increased cost to remedy the consequences of data breaches.
A $4 million problem
The recently released 2016 Cost of Data Breach study found that the average consolidated total cost of a data breach is $4 million. The 11th annual edition of the study sponsored by IBM Security and conducted by Ponemon Institute also found that the average cost incurred on each lost or stolen record containing sensitive and confidential information is $158.
In addition, there is a 26 percent likelihood of a company or organization experiencing a data breach involving at least 10,000 records in the next 24 months.
In healthcare, a $6 million problem
The statistics are even more alarming when it comes to healthcare-specific data.
According to Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, about 90 percent of healthcare organizations represented in the study experienced a data breach in the past two years. About 45 percent suffered more than five breaches in the same period.
The study also estimated that the healthcare industry is shelling out $6.2 billion a year to pay the various costs related to data breaches. On average, covered entities are paying $2.2 million as the result of breaches, while their business associates and third parties have to pay $1 million on average for their role in healthcare-related breaches.
Those costs include lost business, fines from regulators, investigating the cause of the breach, and restitution to affected consumers.
Criminal attacks — most notably ransomware, malware, and denial-of-service (DOS) attacks — account for about half of healthcare data breaches.
It’s not just large regional hospital organizations and health insurance companies that are falling victim.
Go to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) so-called “Wall of Shame” website, and you’ll find plenty of local dentist practices, chiropractic centers, and independently owned pharmacies that suffered data breaches potentially affecting a few hundred or few thousand patient records.
The HHS’s Breach Notification Rule requires healthcare providers to promptly notify the agency, affected individuals, and in some cases the media if there is loss, theft, or breach of PHI of at least 500 individuals. All such reports are then listed on the OCR’s Breach Portal.
One analysis of the OCR website found 253 such breaches in 2015 that compromised a total of 112 million records. In addition, about one in five of last year’s healthcare breaches fell into the category of “hacking/IT incident,” including 9 of the top 10 breaches reported.
Why is healthcare data so sought after by hackers? According to some reports, each individual healthcare record is worth $10 in the criminal market, or up to 20 times more than a stolen credit card number. Other estimates place the value between $20 and $70.
While that may not seem like much to commit a crime for, consider how much 5,000 healthcare records are worth at say, $15 a record: $75,000. Target an easy-to-breach entity and that’s $75,000 with minimal effort.
How to minimize risk and cost of breaches
Among the lessons the Ponemon Institute shared in its recent report were ways companies can both minimize the risk and cost of suffering a data breach.
Data loss prevention controls and activities cited in the study include encryption, endpoint security solutions, and participating in a threat intelligence sharing platform to research security threats, aggregate intelligence, collaborate with peers.
Data governance initiatives that can potentially reduce the cost of data breach include incident response plans, employment of a Chief Information Security Officer, employee training and awareness programs, and a business continuity management strategy.