The cost of a data breach
Complicated Medicare, Medicaid, and private insurer reimbursement rules can easily throw a hospital for a loop and leave it running dangerously low on revenue. An organization’s leaders know they must work better and smarter and make strategic investments that will pay off in savings, while privacy and security officers may sometimes struggle to make the connection between their concerns and those of leadership.
But sound information security programs act as a kind of insurance: money spent up front to protect against an even greater financial loss down the road. Getting that message across can be challenging, but may transform the way an organization approaches information security.
Getting the numbers
Prevention is better than a cure, but privacy and security officers will be expected to back up conventional wisdom with hard numbers. So just how much does a data breach cost on average? The answer depends on the industry, according to the Ponemon Institute’s 2016 Cost of Data Breach Study: Global Analysis (www-03.ibm.com/security/data-breach). The study, sponsored by IBM Security, tracks and analyzes data breach costs and mitigation factors in industries around the world. The average per record cost of a data breach is $ 158 in the U.S., but in the healthcare industry that cost is more than double that at $ 355 per record. That can add up quickly if an organization experiences multiple breaches a year.
Several factors play into the higher costs seen in the healthcare industry, Diana Kelley, executive security advisor at IBM Security, says. Highly regulated industries such as healthcare typically see higher costs for breaches in a combination of fines and administrative costs.
"Whenever there’s a fine coming into play, that could lift up the total cost of recovery post-breach because in addition to all of the work you have to do to eradicate the threat, help your customers, and deal with the cleanup and recovery, you have to pay these fines," she says.
A surprising factor driving breach costs is the cost of breach notification. At more than half a million dollars, the U.S. has higher breach notification costs than any of the other countries in the 2016 Ponemon survey. The U.S. has strong data breach notification laws, Kelley says, and there are both federal and state breach notification laws that organizations must comply with.
What drives that cost? Simply the price of first class postage can quickly add up when breach notification letters must be mailed to hundreds or even thousands of affected patients, Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts, says. In fact, the rising cost of postage is one way state and federal governments hope to encourage organizations to spend money on prevention rather than remediation.
"The threat of such costs is intended to be a deterrent to lax security and to spur healthcare organizations to do their best to avoid breaches," Borten says. "Some breaches are not avoidable, but many or most are with better, yet still reasonable, security."
Some organizations may only look at fines when calculating how much a breach could cost, but by overlooking the seemingly smaller costs of a breach they may be missing the bigger picture. Breach notification is only one of the smaller individual and indirect costs of a breach that can add up to significant losses. Legal fees, security forensics, and any necessary security replacements or upgrades are only some of the indirect costs. Indirect costs may not be immediately apparent but they hit an organization’s bottom line all the same, Borten says.
"The indirect costs of a breach are probably not well understood by many healthcare organizations, especially smaller organizations that don’t have a good grasp of the Breach Notification Rule and a comprehensive incident response program," she says.
The value of a medical record
Information security may not be a traditionally strong point for some healthcare organizations. Previously, financial and retail organizations were hot targets for hackers after identity and financial information, but healthcare is quickly overtaking those industries. In comparison to the financial industry, healthcare isn’t known for strong security, Borten says.
"One reason is that organizations have been slow to recognize the value of their data. After all, it’s not like money in a bank account or credit card details that can be used for financial identity theft," she says. "Ironically, healthcare data now has a much higher street value than credit card information."
Healthcare organizations are in a unique position because of the amount of data they hold. A retail organization like Target, which experienced a massive data breach in 2013, likely only stores payment card information and mailing addresses, but most healthcare organizations also store insurance information along with sensitive details of an individual’s health. A 2015 survey by the Ponemon Institute and the Medical Identity Fraud Alliance (MIFA), the Fifth Annual Study on Medical Identity Theft, found that more than two million adults were the victim of medical identity theft and fraud in 2014 and according to Ann Patterson, senior vice president and program director of MIFA, that number will only go up.
That prediction may be supported by some of the biggest breaches this year. In July, a hacker offered millions of patient records for sale and posted samples of the records, showing names, contact information, and Social Security numbers, so interested buyers could verify the records. Other incidents this year have seen hackers offering similar teasers. Some of that data is bound to fall into the wrong hands and be used for financial and medical identity theft. Medical identity theft can cost an individual more than $ 13,000 on average, according to the 2015 MIFA/Ponemon survey, but healthcare organizations inevitably wind up absorbing some of the cost in bad debt. (For more on medical identity theft, see the July and August issues of BOH.)
Timing and teamwork saves money
The 2016 Ponemon study drew a link between the cost of a data breach and the time and manner in which an organization responds to the breach. The longer it takes an organization to detect a breach, the more it costs—approximately $ 1 million more per incident, the survey shows. The average overall cost of a breach that took a mean time to identify of less than 100 days was $ 3.2 million, while those that took more than 100 days to be identified cost an average of $ 4.38 million. The time it takes an organization to contain a breach also impacts the overall cost, according to the study.
Having a security incident response team in place lowered the costs. An organized, planned team can act quickly to identify, contain, and remediate breaches, key factors in keeping breach costs down, Kelley says. And that can give a clear picture of the actual return on investment for security in terms that the C-suite will easily understand. "If you’re trying to argue for incident response and building out the incident response plan or growing that team, here’s some real dollar value that you could tie to what the return on investment could be," she says.
Participation in threat sharing also showed a clear win for organizations. Threat sharing can give organizations a heads up on the latest and most common threats and help them make smart security investments and strategic threat reduction measures.
"This is becoming very important in healthcare as it is in all industries," Kelley says. "The attackers are very organized and collaborative: they’re sharing data, they’re sharing their tips and tricks with each other so they can get data more effectively."
If information sharing is winning for the bad guys, it can do the same for the good guys, she adds. Cyber threats shift quickly, making real-time or near-real-time information crucial. Organizations can share information on threats, like suspicious websites and server addresses that launch phishing attacks, and tips on shutting them down. But some may hesitate to engage in information sharing out of concern that it may expose sensitive business and security information.
An IBM study released in February looked at the C-suite’s attitudes and actions on cybersecurity (www-03.ibm.com/press/us/en/pressrelease/49100.wss). More than half (53%) of respondents agreed that information sharing between organizations is important for cybersecurity, yet 68% said they were unwilling to do so. It’s not surprising that chief executive officers would be uncomfortable sharing information with rival organizations but it can be done without disclosing sensitive data, Kelley says.
"Nobody wants to give away the keys to the kingdom, and if you’ve been breached you don’t want to show everybody where you went wrong and how you went wrong," she says. "That’s not the kind of information sharing that we need to do to succeed. What we really need to share is what the bad guys are doing."
An organization doesn’t need to discuss its intellectual property, specific security controls, or other corporate secrets. The information an organization should share could be the general content of a phishing email, the IP address it was sent from, and the type of malware attached. This allows cybersecurity researchers and experts to create protections and update anti-malware and anti-virus software.
And as stakeholders and the Office of the National Coordinator of Health IT continue to push for interoperability, doing your part to ensure other organizations steer clear of hackers and malware could become even more important. "I think the more we tie systems together and we share with our partners, there are a couple things we can do. One of those is sharing information about threats," Kelley says.
No one likes to hear that their personal data has been breached, but how that dissatisfaction plays into the cost of a breach isn’t clear. According to the 2016 Ponemon study, the healthcare industry is the second most vulnerable to what it calls "churn"—a sharp drop in customers following a data breach. This may surprise those who assume healthcare is relatively immune to consumer pressure, but it’s supported by other trends that see healthcare becoming consumer-driven. It might also offer a clue as to how strongly some patients feel about breaches of PHI. It’s relatively simple to change banks, but changing healthcare insurers or providers is a more complicated process that takes more motivation, Kelley says.
"What’s it cost you to go from one bank to another bank if you don’t like their practices or they suffered a major breach?" she says. "Healthcare, it’s a little bit more difficult, but there’s still a level of choice and healthcare is very personal for people."
But privacy and security officers might want to rely on something other than consumer pressure to make the case for better security, Borten says. Often, patients simply have no better alternative and can’t switch providers or insurers if they’re unhappy over a data breach. And those who do switch may find themselves back in the same system after a few years.
"The reality is more complicated," she says. "As seen in some of the big retail breaches, after some initial falloff, customers come back in full force. In healthcare, some patients may not have other options: they may be locked in to a given provider by their health plan, or they may stay with an organization after a breach because they have long-established relationships they do not want to give up."
Another recent study on the cost of data breaches by RAND raises questions about how the cost of a breach measures up against other financial risks organizations face. The RAND study, published in the Journal of Cybersecurity (http://cybersecurity.oxfordjournals.org/content/early/2016/08/08/cybsec.tyw001), found that the average cost of a data breach is roughly equal to an organization’s average IT budget, which is itself only 0.04% of an organization’s estimated revenue. The study authors suggest that public concerns about data breaches don’t match up with the relatively modest financial impact on organizations. Organizations, like individuals, are often motivated by self-interest and will not spend on risks that don’t have a significant impact on them; expecting them to act otherwise is not realistic, the study argues.
While that may in fact be the attitude of some executives when faced with competing demands and costs, the study leaves some significant questions unanswered. Bad debt is identified by the RAND study as the top financial risk for healthcare organizations, but data breaches can add to that cost. Victims of medical identity theft may be hit with thousands of dollars in medical expenses someone else racked up under their name. These fraudulent bills often wind up adding to an organization’s bad debt. Bad debt may often be a problem an organization can’t control, but by reducing data breaches, an organization can cut its risk of bad debt caused by medical identity theft.