Cost of healthcare data breaches revealed in Ponemon Data Breach Study

It will probably come as no surprise that the average cost of a data breach in the healthcare industry was the highest of all surveyed industries in a recent Ponemon Institute report.

Setting a new record high at $402 per capita cost, healthcare data breaches have increased substantially above the overall mean of $221. Despite the risk of hefty fines, the healthcare industry clearly still needs to do more to prevent breaches, particularly as the healthcare industry is known for being an easy target for cyber criminals.

Although the report consolidates trends from across all sectors, year on year there has been a 7% increase in the total cost of data breach, taking the average total cost of a data breach to $7.01 million, up from $6.5 million in 2015.

Data breaches cost healthcare organizations more than fines alone
Regulated industries, such as healthcare, have the most costly data breaches because of fines and the higher-than-average rate of lost business and customers.

Despite these fines, there are many other factors that push up the cost of a data breach. Most data breaches continue to be caused by criminal and malicious attacks, which take the most time to detect and contain, resulting in them having the highest cost per record.

Organizations recognize that the longer it takes to detect and contain a data breach the more costly it becomes to resolve; fortunately, HIPAA audits, which now extend to business associates, should have helped to encourage organizations to put measures in place to detect data breaches more quickly. The research shows that detection and escalation costs have increased, suggesting that investments are being made in to reduce the time to detect and contain breaches.

The biggest cost to organizations that experience a data breach is lost business. Due to the sensitive nature of healthcare information, this can be especially damaging in this sector.

It isn’t all bad news, though. The report also revealed that the cost of a data breach can be reduced by:

  • Making improvements in data governance programs
  • Completing incident response plans
  • Appointing a CISO
  • Employee training and awareness programs
  • Having a business continuity management strategy in place
  • Investing in certain data loss prevention controls and activities such as encryption and endpoint security solutions

Prevention is better than cure
Although organizations are investing in taking steps to prevent data breaches, unfortunately, the cost of clearing up the damage left in the wake of an incident is incredibly costly. The spend on indirect costs (time employees spend on data breach notification efforts or investigations of the incident) is much lower than direct costs (engaging forensic experts to help investigate the data breach, hiring a law firm, offering victims identity protection services), but still equates to a great deal of total cost.

Overall, the message is clear: Prevention is better than cure. Preventative measures help to reduce the cost of data breaches, whereas trying to patch things up following an incident will result in costs skyrocketing.