Data breaches are becoming VERY EXPENSIVE for Healthcare Delivery Organizations directing scarce resources away from patient care
According to the IBM / Ponemon 2020 Cost of a Data Breach Report, data breaches cost businesses an average of $3.86 million per incident. The report is based on 524 companies that experienced data breaches globally. Unsurprisingly, the U.S. continues to have the highest average cost per breach ($8.64 million), while Brazil has the lowest one ($1.12 million).
The cost of a data breach includes losses such as lost business, legal fees, and compensation & restitution to affected customers. It also includes rising cyber investigation expenses and fines for compliance failures. According to the report, there are 4 main areas that lead to this growing cost. These include:
Detection, escalation, and investigation / incident handling
Lost business with customers and partners
Notification of affected parties, partners, and regulatory authorities
Cleanup and response including the remediation of vulnerabilities that should, in retrospect, have been fixed long before the breach
These sums do not include the costs brought about by a loss of reputation, nor do they include business lost forever as a result of loss of confidence by partners and customers, some of which may have been significantly damaged as a result of the cybersecurity incident, or the failure of the attacked company to deliver according to contractual agreements during the incident.
Nor do these figures include the expanded costs of investigation and clean up of a distributed 'remote' workforce as has become common under COVID restrictions in 2020. In such cases this average cost rises to over $4 million US dollars the report concludes.
According to the study, the average time to identify and contain a breach is 280 days, 207 days to identify the problem and 73 days to contain it. This indicates that most organizations do not have effective 24/7 security operations monitoring or incident response capabilities, and that many incidents often go unnoticed till a regulator intercedes, by investigating a discovered breach of non-public data.
While cyber-forensic investigation is not cheap by any means, the greatest breach cost to businesses is lost business the reports claims, which represents about 40% of the total average cost of an overall data breach. In other words, out of the average $3.86 million that a breach costs, around $1.5 million is linked to loss of revenue and customers.
Most importantly however, the report points out that security breaches directly affect the company's reputation, damaging the brand and impacting acquisition and retention of business. While some consumers may be extremely fickle chasing the best deal regardless, others may be lost forever.
While all industries are affected by data breaches, the costs of a healthcare breach far exceeds other verticals. It is perhaps the combination of a rich and diverse array of data - PHI, PII, and IP, found in hospitals and clinics, and the regulatory protections enforced under law that make a healthcare breach a particularly expensive event. The industry’s breach life-cycle is also longer, averaging about 329 days compared to an average of 280 days. That leads to higher costs. At the same time, healthcare spends less on cybersecurity than most other industry verticals, and so is an easy target for cyber criminals and pariah nation states given its relative lack of preparedness.
“Healthcare is a highly regulated industry and faces a lot of compliance burdens when it comes to remediation of a breach, and there are a lot of additional costs with medical records compared to other types of record.” claimed Charles Debeck, senior threat analyst at IBM X-Force IRIS.
While rising CEO Fraud or Business Email Compromise (BEC) accounted for 5% of malicious breaches, the average cost of a ransomware breach was a staggering $4.44 million. Though the overall cost of a breach is relatively unchanged from 2019, IBM says the costs are getting smaller for prepared companies and much larger for those that don’t take any precautions.
"If you dig deeper into the data what we saw was an increasing divergence between organizations that took effective cybersecurity precautions versus organizations that didn't," claimed Debeck.
“This divergence has been increasing year over year; the organizations that are engaging in effective cybersecurity practices are seeing significantly reduced costs, the organizations that aren't engaging in these same practices are facing significantly higher costs,” he added.
"Given the massive size of recent GDPR fines, OCR penalties, and state breach rules, most of which are not reported in time, it undoubtedly makes a lot more sense to invest in security up front, rather than to throw the dice and take a chance that it won't be you that gets hit with a cyber incident," claimed Richard Staynings, Chief Security Strategist with Cylera, a pioneer in the security of medical and HIoT devices. "The problem is, that in healthcare, most HIPAA Covered Entities have at best, only a partial appreciation of where their PHI data resides. Most don't consider the thousands of medical devices on their networks, or what data resides on each of those devices. Now that HIoT devices outnumber IT endpoints such as workstations, laptops and servers, healthcare IT and security teams are often looking in the wrong places for risks and vulnerabilities," he added.
Read the full Ponemon Report for details.
Understanding what medical device and other assets connect to your network, what data each may host, what risks and vulnerabilities devices may be subject to, is a growing concern for healthcare executives. Being able to automate the utilization and monitoring of unmanaged HIoT devices while automatically remediating discovered security risks, is critical to securing healthcare data and the integrity of healthcare networks. For a conversation with someone to discuss how Cylera may be able to solve your HIoT security problems, please schedule a no obligation call and demo. We are happy to share what we know if it helps you to gain a better understanding of your potential risks and risk remediation options. We are all in this together after all to help ensure the security of healthcare providers, as patients, as parents, and as friends and relatives.