Healthcare delivery organizations are forced to direct scarce resources away from patient care because of expensive data breaches.
According to the IBM/Ponemon 2020 Cost of a Data Breach Report, data breaches cost businesses an average of $3.86 million per incident. The report is based on 524 companies that experienced data breaches globally. Unsurprisingly, the U.S. continues to have the highest average cost per breach ($8.64 million), while Brazil has the lowest one ($1.12 million).
The cost of a data breach includes expenses such as business loss, legal fees, and compensation & restitution to affected customers. It also includes rising cyber investigation expenses and fines for compliance failures. According to the report, there are 4 main areas that lead to this growing cost. These include:
- Detection, escalation, and investigation/incident handling
- Lost business with customers and partners
- Notification of affected parties, partners, and regulatory authorities
- Cleanup and response including the remediation of vulnerabilities that should have been fixed long before the breach
While incident handling and cyber-forensic investigation is not cheap by any means, the greatest breach cost to businesses is immediate business loss the reports claims, which represents about 40% of the total average cost of an overall data breach. In other words, out of the average $3.86 million that a breach costs, around $1.5 million is linked to loss of revenue and customers.
These figures also do not include the expanded costs of investigation and clean up of a distributed 'remote' workforce, as has become common under COVID restrictions in 2020. In such cases, this average cost rises to over $4 million US dollars the report concludes.
Most importantly however, the report points out that security breaches directly affect the company's reputation, damaging the brand and impacting acquisition and retention of business. While some consumers may be extremely fickle chasing the best deal regardless, others may be lost forever.The loss of confidence from clients could stem from the damage done by the cybersecurity incident itself or the failure of the attacked company to deliver according to contractual agreements during the incident.
According to the study, the average time needed to identify and contain a breach is 280 days, 207 days to identify the problem and 73 days to contain it. This indicates that most organizations do not have effective security operations monitoring or incident response capabilities, and that many incidents often go unnoticed until a regulator intercedes, by investigating a discovered breach of non-public data.
While all industries are affected by data breaches, the costs of a healthcare breach far exceeds other verticals. It is perhaps the combination of a rich and diverse array of data - PHI, PII, and IP, found in hospitals and clinics, and the regulatory protections enforced under law that make a healthcare breach a particularly expensive event. The industry’s breach life-cycle is also longer, averaging about 329 days compared to an average of 280 days. This longer cycle leads to higher costs. Compounding the issue, healthcare spends less on cybersecurity than most other industry verticals. Therefore it is an easy target for cyber criminals and pariah nation states given its relative lack of preparedness, old tools and generalist security staff.
“Healthcare is a highly regulated industry and faces a lot of compliance burdens when it comes to remediation of a breach, and there are a lot of additional costs with medical records compared to other types of record.” claimed Charles Debeck, senior threat analyst at IBM X-Force IRIS.
While rising CEO Fraud or Business Email Compromise (BEC) accounted for 5% of malicious breaches, the average cost of a ransomware breach was a staggering $4.44 million. Though the overall cost of a breach is relatively unchanged from 2019, IBM says the costs are getting smaller for prepared companies and much larger for those that don’t take any precautions.
"If you dig deeper into the data what we saw was an increasing divergence between organizations that took effective cybersecurity precautions versus organizations that didn't [...] the organizations that are engaging in effective cybersecurity practices are seeing significantly reduced costs, the organizations that aren't engaging in these same practices are facing significantly higher costs,” claimed Debeck.
The problem is, most HIPAA Covered Entities have at best, only a partial appreciation of where their PHI data resides. Most don't consider the thousands of medical devices on their networks, or what data resides on each of those devices. Now that HIoT devices outnumber IT endpoints such as workstations, laptops and servers, healthcare IT and security teams are often looking in the wrong places for risks and vulnerabilities.
"Given the massive size of recent GDPR fines, OCR penalties, and state breach rules, most of which are not reported in time, it undoubtedly makes a lot more sense to invest in security up front, rather than to throw the dice and take a chance that it won't be you that gets hit with a cyber incident," claimed Richard Staynings, Chief Security Strategist with Cylera, a pioneer in the security of medical and HIoT devices.
Read the full Ponemon Report for details.
How can Cylera Help?
Understanding what medical device and other assets connect to your network, what data each may host, and what risks and vulnerabilities devices have is a growing concern for healthcare executives. Being able to automate the utilization and monitoring of unmanaged HIoT devices while automatically remediating discovered security risks is critical to securing healthcare data and the integrity of healthcare networks.
For a conversation with someone to discuss how Cylera may be able to solve your HIoT security problems, please schedule a no obligation call and demo. We are happy to share what we know if it helps you to gain a better understanding of your potential risks and risk remediation options. We are all in this together after all to help ensure the security of healthcare providers, as patients, as parents, and as friends and relatives.