Data breaches cost the healthcare sector an average of $6.5 million, over 60 percent more than all other sectors, according to a Ponemon Institute report, sponsored by IBM. Other sectors spend about $3.9 million, on average.
Ponemon researchers interviewed 500 global organizations that experienced a data breach in the last year. The researchers found for the ninth consecutive year the healthcare sector is still the hardest hit financially by data breaches.
The costs are directly related to legal, technical, and regulatory functions, including patient notifications, breach detection and response, and lost business caused by reputational damage, loss of consumer trust, and downtime.
What’s more, loss of business has remained the largest breach expense for the last five years among all industries, with a cost of $1.42 million, or 35 percent, on average.
Consider the recent American Medical Collection Agency breach, where the number of breached victims has reached 25 million from 18 covered entities. AMCA’s parent company, Retrieval-Masters Creditors Bureau, filed for Chapter 11 protection after the breach went public. Officials cited loss of business as one of the main reasons for filing for bankruptcy.
The Ponemon report also showed some of these costs are also associated with the highly regulated nature of the healthcare sector, which can add to the long-tail financial impact. Healthcare had higher long-tail costs in the second and third years than other sectors.
About 67 percent of the costs occurred during the first year after a breach, 22 percent during the second, and 11 percent in the years that followed the two-year mark.
The researchers also found breach costs have increased 5 percent in healthcare in the past year. In fact, health providers will spend $429 per each lost or stolen record – up from $408 per record in 2018. The cost is about three times more per record than all other sectors.
Breach costs are rising across all sectors at 12 percent, with the impact lasting for several years after the initial incident, the report showed. The financial impact is directly related to increased regulation, the complexity of criminal cyberattack resolution, and the financial impact that can last for several years.
Further, the financial impact of breaches is twice as much in the US than other countries, at an average of $8.2 million. And those costs have increased a whopping 130 percent in the past 14 years. The average cost of a breach in the US was $3.5 million in 2006.
Those costs also varied by organization size, with small- to medium-sized organizations spending 5 percent of annual revenue, or $2.5 million to recover.
These numbers are especially concerning given a recent CHIME and KLAS report that found small providers are not keeping pace with necessary cybersecurity measures, like risk management, and governance.
Also concerning, malicious or criminal cyberattacks were behind 51 percent of all breaches and are the costliest in terms of recovery at 25 percent higher than breaches caused by system or insider error. These attacks have increased 21 percent from 2014 to 2019.
What’s worse is that it took the breached US organizations an average of 245 days to identify and contain a breach. However, the report tied breach response directly to cost saving. Organizations that detected and contained the breach in less than 200 days spent $1.2 million less on total breach costs.
Lastly, organizations that focus on incident response can reduce the time it takes to respond and had a direct correlation to overall costs. Those that had these measures in place reduced their breach costs by $1.23 million, compared to those organizations without those functions.
“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services, said in a statement.
“With organizations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs,” she added.
Read the original post at Health IT Security, written by Jessica Davis.