New Comprehensive Report Highlights Impact of Healthcare Data Breaches
IBM Security and the Ponemon Institute recently released their 2019 Cost of Data Breach Report (the “Report”). This is the 14th annual report these groups have published. The Report was developed from interviews with more than 500 companies that experienced a breach between July 2018 and April 2019. While the report is not healthcare specific, the healthcare industry is prominently mentioned in the Report, including having the highest industry average for the cost of a data breach of approximately $6.45 million.
Some key findings from the Report include:
- the average time to identify a breach was 206 days and the average time to contain a breach was 73 days, an approximate 5 percent increase in the length of time from the 2018 report;
- data breached from a malicious cyber-attack was the most common breach and also the most expensive type of breach;
- inadvertent breaches – human error and system glitches – remain significant causes of breaches;
- the five factors that contributed most to the cost of a data breach were third-party involvement, compliance failures, extensive cloud migration, system complexity and operational complexity;
- the presence of an established incident response team can significantly lower the average cost of a data breach; and
- organizations are nearly one-third more likely to experience a breach within a two-year period than they were in 2014.
Specifically with respect to the healthcare sector:
- the average total cost of a data breach in the healthcare industry is 65 percent higher than the overall average costs of a data breach; the next highest cost industries were the financial, energy and industrial sectors;
- healthcare organizations had a 7 percent customer turnover rate following a breach, the highest of any industry in the Report; and
- healthcare organizations took the most time to identify a data breach, the public sector took the second longest period of time, and financial organizations took the least amount of time.
The Report highlights key takeaways for industries to minimize the financial consequences of a data breach:
- have an incident response team and test the incident response plans;
- organizations that have senior and skilled leaders in place can help reduce the loss of customers following a data breach;
- identify, classify and encrypt sensitive data;
- invest in technology to improve the ability to detect and contain a data breach;
- invest in governance, risk management and compliance programs; and
- ensure security solutions are integrated within the organization.
Healthcare data breaches continue to be high-profile and expensive issues that affect organizations of all sizes. Cybercriminals may be attracted to the healthcare industry because of the value attributed to protected health information. Ensuring that robust HIPAA privacy rules and security rules are in place with a comprehensive compliance plan may help prevent a healthcare data breach and, if one were to occur, mitigate the financial and reputational damage to the organization.
Saul Ewing Arnstein & Lehr attorneys regularly help all types and sizes of healthcare organizations with creating and maintaining HIPAA compliance and breach responses and preparedness.