Thursday, February 21, 2019

Healthcare Takes Around 350 Days to Identify, Contain Data Breach

As someone who works in the healthcare industry (in a few roles) I tend to expect a lot from my peers and the companies I really on.  Needless to say I was disappointed when I read that my industry was the second slowest in Identifying and Containing Data Breaches, behind only the entertainment industry.
From a personal standpoint, I find that embarrassing and, quite honestly, sad.  However, this may be at least party due to the fact that the costs associated with healthcare related breaches are among the highest in IT circles.  The cost of a data breach in healthcare, according to IBM and the Ponemon Institute, is a jarring $408 per record, which is the highest of any industry for the 8th straight year and three times higher than the cross-industry average of $148 per record.
I’d speculate that much of that is due to the sheer amount of data that is contained in a healthcare record.  It’s not just a credit card number and perhaps an address.  They contain almost all of the data necessary to pull off a clean and easy identity theft. That’s one of the biggest reasons the federal government is so concerned on data security in the healthcare field.
I feel the other factor is the how well the data is guarded and the level of those protecting it.  In large institutions such as hospitals, there is a highly trained and supported IT department, but in a private practice situation such as mine, we rely on small IT Security contractors who are not onsite and are not watching the security profile at all times.  Without divulging any info that might compromise my situation, I feel that I am as well protected as possible for a small office, but I do not have a team of dedicated professionals who are onsite and watching my traffic 24/7 and 365.25.
I found a terrific article by Fred Donovan that does a great job of detailing this entire situation and the risks involved.  I feel that anyone  in a small healthcare setting should give this a read.

The healthcare industry had the second highest number of days to identify and contain a data breach, around 350 days, according to a recent study by The Ponemon Institute and IBM.

The healthcare industry was second only to the entertainment industry, which took 367 days. Financial services had the fewest number of days to identify and contain a data breach, 217 days.

Financial services had the highest frequency of data breaches, followed by services, and industrial and manufacturing. Healthcare was well down the list of industries in terms of frequency of data breaches

The study also found organizations that use proactive data recovery planning decreased the cost and frequency of data breaches by more than 30 percent.

The study found that the longer it takes to identify, contain, and recover from a data breach, the more it consumes significant time, money, and resources.

On average, companies that have business continuity management (BCM) programs saved 44 days in the identification of a data breach, 38 days in the containment of a data breach, and 31 days in recovery from a data breach.

In addition, organizations with BCM programs had a $9.3 reduction in per capita cost of data breach, 6.5 percent reduction in the per capita cost of data breach, and a 32 percent decrease in the likelihood of a data breach over the next 2 years.

Sixty percent of the study participants who have a disaster recovery program currently use automation and/or orchestration. These organizations have been able to reduce the mean time to identify, contain and recover from a data breach by more than 30 percent; reduce the average daily cost of a data breach by more than half; reduce the chance of disruption to material business operations by more than 20 percent, and reduce the likelihood of a data breach recurring by more than 30 percent.

“Our research over the last few years continues to confirm that the proactive steps business leaders and organizations are taking to protect and recover critical data are working,” said Ponemon Institute Chairman and Founder Larry Ponemon. “These actions can improve the bottom line, make businesses more efficient, and give customers more confidence to entrust the enterprise with their data.”

This study is a follow up to the Cost of a Data Breach study that Ponemon and IBM released earlier this year. That study found that healthcare data breach costs average $408 per record, the highest of any industry for the eighth straight year and three times higher than the cross-industry average of $148 per record. Last year, the average cost of $380 per record for a healthcare data breach.

The average cost of a data breach across industries and countries is $3.86 million, a 6.4 percent increase from 2017 and a nearly 10 percent net increase over the past five years.

The IBM-Ponemon study compared the cost of data breaches in different industries and regions. It found that data breaches are the costliest in the United States and the Middle East, and least costly in Brazil and India. 

One factor affecting data breach cost in the United States was the cost of lost business, which was $4.2 million, more than double the amount of “lost business costs” compared to any other region surveyed.

The study found that hidden costs in data breaches are difficult and expensive to manage. Based on interviews with nearly 500 companies that experienced a data breach, the study analyzed hundreds of cost factors surrounding a breach, from technical investigations and recovery, to notifications, legal and regulatory activities, and cost of lost business and reputation.

For mega breaches, the biggest expense category was costs associated with lost business, which the report estimated at nearly $118 million for breaches of 50 million records, almost a third of the total cost of a breach this size.


If you would like to view the article in its native form, here is the link.  


1 comment: