[INFOGRAPHIC] Understanding the True Cost of a Data Breach for Healthcare

NetgainCybersecurity & Compliance, Healthcare IT

Doesn’t it feel like every time you go online, there’s another data breach, another practice has been hacked or another cyberattack is holding patient data hostage?

Many administrators think it can never happen to their practice, but the numbers speak for themselves. Nine out of 10 hospitals have had a data breach in the last two years. Nine out of 10! Still think it can’t happen to your healthcare organization?

The costs incurred by a practice as a result of a data breach are extensive, from costs like forensics and breach notifications to lawsuits and HIPAA settlement fines.

Below, we take a look at the real cost of a data breach to give you the full picture of just how expensive these events can be. We go into the sources of breach, the average direct costs involved and the often-overlooked indirect costs.

The infographic below shows that insider error or wrongdoing is one of the primary causes of a data breach, so we’re doing what we can to help protect our clients and colleagues against data breach caused by cybersecurity. In the last few months alone, we’ve featured blogs on the KRACK Wi-Fi attack, Petya Ransomware attack, and WannaCry malware infestation. And, in October, we dedicated a whole month to cybersecurity education with blogs about the importance of a cybersecurity plan, how to protect yourself against a ransomware attack, and what to look for in a cybersecurity partner.

If you think conducting an annual security analysis is expensive, compare it to the cost of a data breach. Healthcare organizations spend an average of $380 per breached record.

The cost of a healthcare breach is over double that of other industries. Medical records are incredibly valuable to hackers because the data (names, addresses, social security numbers, medical history, insurance information, etc) is not easily changed.

Each year the healthcare industry spends over $6.2 billion on data breaches.

In 2016, cybersecurity attacks hit 87% of organizations. These attacks were successful because of insider error or wrongdoing (41 percent) and cybersecurity threats like hacking, malware and ransomware (32 percent).

So, what factors decrease (or increase) the cost of a breach?

  • Decrease
    • Insurance protection
    • Appointed Chief Information Security Officer (CISO)
    • Extensive use of encryption
  • Increase
    • Rushing to notify affected patients
    • Lost or stolen devices
    • Extensive use of mobile platforms
    • Compliance failures

Breaches come from various sources and range in the number of records breached.

Medical Oncology Hematology Consultants encountered a cyberattack that breached 19,203 records. St. Mark’s Surgery Center experienced a ransomware attack that prevented the practice from accessing 33,877 patient records. Lifespan had a laptop stolen that exposed the sensitive information of 20,000 patient records. HealthNow Networks erroneously uploaded a backup database to the internet that exposed 918,000 patient records.

The average breach costs an organization $3.6 million. Here’s how those costs break down:

  • Forensics: $610,000 (compliance personnel and auditors to detail what and how much data was breached)
  • Breach Notification costs: $560,000 (reporting information to media, notifying HHS, credit monitoring for patients, etc.)
  • Lawsuits: $880,000 (class-action or single-patient lawsuit fees add up quickly)
  • HIPAA Settlement fines: $1.1 million (ever-increasing as HHS cracks down on HIPAA regulations)
  • Post-breach clean-up: $440,000

That’s in addition to the indirect costs like:

  • Loss of consumer confidence
  • Practice reputation
  • Patient turnover
  • Loss of brand value
  • Employee morale

Protecting your practice is crucial. Implementing appropriate administrative and technical controls will mitigate your practice’s vulnerability:

Administrative controls include: conducting regular user training, hiring a dedicated security officer, employing and enforcing Bring Your Own Device (BYOD) policies and conducting extensive due diligence on third-party vendors.

Technical controls include: always patching and updating systems, automating your disaster recovery process and using anti-malware software.

Would your practice withstand a data breach? What are you doing to protect your practice against the ever-increasing risk of a cyberattack?