Healthcare costs from a data breach
If you’re looking for a clear and specific financial impact data breaches have on healthcare organizations, look no further than a new study from the Ponemon Institute, which conducts research on data protection. One statistic that puts things into stark relief is how healthcare providers lose an average of about $2.75 million per data breach, along with 10,000 patient records. And each record inflicts an average cost of $408. When you consider that 54% of vendors have experienced a breach, that is quite the substantial amount of losses.
At the other end of the spectrum, cyber criminals continue to target these providers and vendors because of just how alluring the promise of reward is. Patient information stolen from hospitals, their networks, medical devices, continue to net dark web denizens the highest profits compared to other types of data. In fact, 2018 marked the eighth consecutive year in which the healthcare industry saw the highest costs from data breaches, at a frequency nearly three times higher than other verticals.
From the largest enterprises to the smaller operations, healthcare providers of all kinds are aware, or should be aware, of the risks. Nor is it difficult to see the reason in action. UK Healthcare, an academic medical center, just had to reboot their systems after enduring a cyberattack that lasted a month. Even in this instance, where no patient records were seemingly compromised, day-to-day functioning was apparently impacted enough to exact a cost around $1.5 million, according to a spokesman. Although malware was the culprit here, the infiltrators failed to install any ransomware. Imagine how much higher the cost could have been otherwise.
UK Healthcare has reportedly bolstered their security posture in the wake of this event, but too often miscommunication and poorly defined roles can complicate matters for vendors and providers alike. Around 28% of providers will leave a vendor if a flaw in the latter’s security is found; but at the same time, they can often be lax in how they manage and monitor these third party risks, not caring enough until it’s too late. The relationship between the two is symbiotic as far as data protection is concerned, and both should be taking a proactive approach, not waiting until the other screws up. That will just make it easier for the hackers, in the end.