Responding Too Quickly to Data Breaches Can Cost

For the fifth year in a row data breaches grew more costly, coming with an average organizational price tag of $7.2 million, according to the recent “2010 Annual Study: U.S. Cost of a Data Breach” report from the Traverse City, Mich.-based Ponemon Institute. And those organizations that acted too quickly before doing due diligence, were further financially penalized. In this annual benchmark study, a total of 51 organizations, 8 percent which were healthcare organizations, were analyzed.

The report shows for the first time that across industry sectors, malicious or criminal attacks are the most expensive cause of data breaches and not the least common one. Larry Ponemon, Ph.D., chairman and founder of the Ponemon Institute, notes that in the last couple of years many healthcare data breaches involved a disgruntled employee or a malicious insider. As Ponemon points out, there’s extreme value in a patient’s health record, a “crown jewel of personal information,” which is why medical identity theft is so attractive.

High Costs of Breaches
The cost per breached medical record incident climbed to $301 million in 2010 from $294 million in 2009, and compared with other industries, healthcare was one of the most expensive. “When you think about the value of an individual who basically decides that they are not going to continue a relationship because they lose confidence in the organization, the lifetime value of that individual can be enormous,” explains Ponemon.

For the third straight year, direct costs account for a larger proportion of overall data breach costs, of which abnormal churn, or turnover of customers, after data breaches appears to be the dominant factor in the data breach cost. Similarly, healthcare and the pharmaceutical industry had one of the highest customer turnover/business losses rate at 7 percent and 8 percent, respectively, while the average customer turnover rate post- breach across all studied organizations was 4 percent. Most patients have high expectations that their healthcare organizations will be faithful stewards of their personal health information, says Ponemon, which makes a healthcare breach that more devastating and resulting in churn.

The study also points out for the second year in a row that those organizations that respond more rapidly to data breaches paid significantly higher costs as a result. Ponemon notes that regulations stemming from the Health Information Technology for Economic and Clinical Health (HITECH) Act and healthcare organizations’ intention of quickly notifying patients of a breach are laudable, but the execution of identifying the patients with breached records can sometimes be sloppy. He remembers last year an organization that initially notified 38,000 data breach victims of their compromised information, and later through additional forensics, concluded there were only about 8,000 records breached.

Minimizing a Breach
Ponemon notes there is no magic bullet for CIOs to combat data breaches, but IT leadership can preemptively create policies and procedures to minimize the repercussions of a breach. “What you can do to anticipate the breach is have the processes in place to reduce its costs,” he says. “In other words have forensics and detection capabilities, deploy data loss prevention tools, make sure that data is encrypted properly—these things will not stop data breach, but they will lower the harm to the individual and [minimize] the impact to [the hospital’s] reputation.”

Ponemon notes that this year more organizations across all industries are spending resources on data security. He recommends healthcare institutions spend these funds on data loss prevention tools, which are not generally common in healthcare. Also organizations need to offer end-to-end encryption, especially as clinicians view more clinical information on mobile devices like tablets and smartphones. “I think if there is one area of great consequence in healthcare, it’s around insecure or unstable endpoints,” he says. “The more that we control that, the harm to the individual will be less.”

Another tool IT departments can implement for additional security is single sign-on, Ponemon says. Physicians, like other users, don’t like to remember a lot of passwords, he says, and a single sign-on can increase efficiency of securing information systems in an organization.