Calculating the Cost of Healthcare Breaches

The Ponemon Institute continues to do good work.  For the past several years it has put out reports that survey the current cybersecurity landscape, taking the measure of privacy and security when it comes to healthcare data.  One important constant across these studies since their inception, including the most recent one this month, has been the revelation of just how frequent, impactful and costly data breaches are for healthcare entities.  Threats to these organizations have been on an upward trend year-over-year (criminal activity as the leading cause up from 45% to 50%, for example), with little improvement yet to be seen in the situation.  Whether due to financial or technical reasons, negligence or ineptitude, healthcare organizations seem powerless to stem the tide, to stopper the ever widening gap in the dam.

Patients, obviously, bear a significant burden when their hospital or provider fails to safeguard their personal information, but the cost is not insubstantial for these institutions, either.  Even covered entities, according to the report, have faced an average pricetag of over $2.2 million over the last year.  To the industry overall, furthermore, it claims a cost of over $6 billion from all breaches combined.

To me, one of the most remarkable findings was the fact that almost 90% of those surveyed have been breached in the last two years, while nearly half have astonishingly experienced more than five breaches in that time.  Nearly half.  Over five.  A stat like that bears repeating.  While careless mistakes are also an important factor, from employee errors to lost devices, increased criminal sophistication is the biggest scourge to the industry.

Like I said, the cost to healthcare as a whole can be staggering.  Worst of all are hit the entities who are found to be non-compliant with HIPAA standards.  Since 1996, when the Health Insurance Portability and Accountability Act (HIPAA) was made law of the land, improving information security for patients and instituting privacy standards for the industry—since then, providers have had to ensure they abide by those standards, ensuring the protection of confidential data at rest and in transit.  Violators can find themselves facing stiff financial penalties: depending on the severity of a violation, the negligence involved, or the number of patients affected, the charges could range from $100 to $50,000 per violation per year.  Compliance and database security thus become even more paramount concerns.

Clearly, the siege continues on the healthcare industry.  Enterprises must invest in optimizing security for their patients’ information, and be constantly and smartly vigilant for the strains of malware, ransomware, etc., that hackers will use to test their networks.  Don’t let yourself get caught napping, or the consequences for you and your patients will be steep.