Subscription Center

Real-time insights from the industry leader in IT.
Photo of a couple speaking to and shaking hands with a healthcare provider who is using a tablet

The High Cost of Insecurity for Healthcare

27 Oct 2015 by Bob Violino

Some say the healthcare sector is behind when it comes to information security. Yet health provider organizations, and their patients, perhaps have the most to lose if a breach occurs.

The data held by healthcare organizations goes beyond credit card numbers and financial information. It includes such information as sensitive details about individual’s prescriptions, medical histories, illnesses and treatments.

Healthcare is the hardest hit.

The costs of security breaches — and negligence in adequately protecting systems and data — can be especially high for healthcare organizations. According to the Ponemon Institute’s annual Cost of Data Breach Study: Global Analysis, a benchmark study of 350 companies in 11 countries, healthcare emerged as the industry with the highest cost per stolen record. The average cost for organizations in the industry was $363, says the study, which was sponsored by IBM.

The average consolidated total cost of a data breach for all sectors is $3.8 million, the report says, and this represents a 23% increase since 2013. The study found that the average cost incurred for each lost or stolen record containing sensitive and confidential information increased 6% from a consolidated average of $145 to $154.

Noncompliance adds to the costs.

Healthcare organizations can also suffer financial losses if they fail to comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA). The regulations mandate that health providers effectively protect data such as patient information.

“In highly regulated industries or for organizations that experience a breach of regulated data (mainly payment information, healthcare data, or personally identifiable information), regulatory fines can start to add up as details of the breach unfold from resulting investigations,” says Forrester Research in its report released in January 2015, “Understand The Business Impact And Cost Of A Breach.”

“Given the prevalence of major data breaches today, the circumstances that surround the breaches, and heightened public concerns regarding privacy and personal data handling, regulators are looking at events with greater scrutiny,” the Forrester report notes. “The largest HIPAA settlement to date — $4.8 million — was issued in 2014. State and country breach notification and privacy laws worldwide also typically have fines for noncompliance, and many are pushing for even larger fines.”

There are a number of things healthcare organizations can do to enhance cybersecurity and avoid the high costs of data breaches. Here are just a few examples:

  • Make mobile security a big part of the strategy. The healthcare industry as much as any other is adopting mobile technology as a key component of delivering services. This includes communications and computing devices such as smartphones and tablets, and also medical devices used to monitor patients. Given the fact that these devices often store personally identifiable patient information, protecting the data should be among the highest priorities of a mobility strategy at hospitals and clinics.
  • Be willing to share information with other organizations. The growing sophistication and collaboration of cybercriminals ties in directly with the historic costs we're seeing for data breaches, according to Marc van Zadelhoff, vice president of strategy at IBM Security.

"The industry needs to organize at the same level as hackers to help defend themselves from these continuing attacks,” van Zadelhoff says. The use of advanced analytics, sharing threat intelligence data and collaborating across the sector will help to even the playing field against attackers while helping mitigate the cost to commerce and society.”

  • Take quick action following an attack. The time needed to identify and contain a data breach affects the cost, according to the Ponemon report. The study shows the relationship between how quickly an organization can identify and contain data breach incidents and financial consequences. Malicious attacks can take an average of 256 days to identify, while data breaches caused by human error take an average of 158 days to identify, it says. Malicious or criminal attacks are the most costly data breaches.
  • Hire a service provider. Many healthcare organizations, especially smaller ones, lack the internal resources needed to build and maintain an effective cybersecurity program. They need to find partners that provide managed security services and are familiar with the healthcare industry and its unique challenges and requirements. Providers offer services such as continuous network monitoring and perimeter management, on-site consulting, penetration testing and vulnerability assessments, and compliance monitoring.

Find more answers to your pressing security questions and discover background information that will help you make a well-informed decision. Get in touch with Insight at 1.800.INSIGHT to begin treatment of your healthcare organization’s security.