Over the past two years, data breaches have cost the U.S. healthcare industry over $6.2 billion dollars, according to the Ponemon Institute's Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. Currently, the health industry is among cybercriminals' favorite targets.
The Ponemon report indicated the biggest categories of risk are quantified as follows, with survey respondents allowed to select more than one answer:
- Distributed denial of service (DDoS) - 48%
- Ransomware - 44%
- Malware - 41%
- Phishing - 32%
- Advanced Persistent Threats - 16%
- Rogue Software - 11%
- Password Attacks - 8%
Understanding the real impact of the threat vector on healthcare organizations requires digging deeper than just the direct costs of a data breach. In this blog, you'll learn why healthcare data breaches are more expensive than average and the factors that can contribute to this.
Why are Health Care Data Breaches so Expensive?
Not only are health organizations at increased risk of criminal attack, they're also more likely to suffer massive financial fallout as the result of an incident with data loss. Ponemon Institute's 2016 Cost of Data Breach Report estimates that, with an average cost per record of $400, health breaches are 80% costlier than multi-industry averages.
This same study reported that just 34% of the costs of a health care breach are associated with "direct costs," or easy-to-quantify factors like notification, forensics, and legal help. The other 66% of financial impact can involve factors like customer churn, replacing executives, and reputation management.
But why are healthcare data breaches so expensive, especially compared to retail or other industries? While specific factors can vary, health data breaches may be particularly costly in part due to:
- HIPAA Fines
- Auditing and forensics requirements
- Higher-than-average customer churn post-breach
What Factors Can Affect the Cost of a Healthcare Data Breach?
While it's important to categorize healthcare data breach costs as "direct" and "indirect," these classifications aren't perfect. The costs of a data breach can range from the entirely predictable to the far less easy-to-quantify.
Category 1: Easily Quantifiable Costs
| Factor | Cost |
| Notifying Customers | $1-10 per customer |
| Credit Monitoring Services | $150 per customer per year |
| Regulatory Fines | $5,000 to $500,000 for PCI, $50,000-$1.5 million for HIPAA |
| Forensic Investigation | $2,000 per hour |
| Legal Assistance | $1,500 per hour |
| Direct Financial Loss | Highly variable; recent average estimates over $500,000* |
| Settlements | Highly variable; recent reports of $2.7 million or more** |
| Insurance Premium Increases | 200% premium increases are common*** |
*Source: Kapersky Labs
**Source: Modern Healthcare
***Source: Deloitte research via Journal of Accountancy
Easily quantifiable costs are typically considered "direct impact." Following the results of a forensic investigation, organizations can typically predict just how expensive breach remediation will be.
Category 2: Harder-to-Quantify Costs
| Factor | Cost |
| Customer Churn | Highly variable; average 6.7% customer churn* |
| Business Downtime | Highly variable |
| Public Relations | $250 per hour or more for high-end PR consultancy |
*Source: Ponemon Institute
One of the most interesting phenomena in healthcare information security is the tendency for extraordinarily high customer churn post-incident. Healthcare is second only to finance as the industry in which customers are most likely to take a hike after notification. With average turnover rates of nearly 7% reported by Ponemon, this is double the multi-industry average of 3%.
Business downtime resulting from a security incident is another factor with the potential for devastating impact, but it's difficult to predict. The type of threat and an organization's business continuity planning can both shape this hard-to-quantify cost factor.
Category 3: Highly-Variable Costs
| Factor | Cost |
| Brand Damage | Highly variable |
| Loss of Competitive Advantage | Highly variable |
| Replacing Executive Staff | Over 100% of annual salary |
Very little long-term data on brand damage from data breaches exist. While few organizations have revealed the extent of impact past incidents have had, brand damage and loss of competitive advantage can linger far longer than media attention.
How Much Do Healthcare Data Breaches Really Cost?
On average, healthcare data breaches cost $4 million, with an average financial loss of $355 per stolen record according to Ponemon's 2016 cost report. However, it is important to note that these estimates typically focus on the most easily quantifiable costs.
Using Ponemon's own estimates that only 34% of data breach costs are direct, healthcare IT pros are wise to stand prepared for incidents that are up to 66% more expensive than reported industry averages. With these figures in mind, you can expect the true cost of health care data breaches to exceed $1,000 per stolen record or $11 million in total on average.
Monitoring Your Critical Health Information
Not only are healthcare IT pros facing a tough threat vector, but they're also struggling to maintain HIPAA compliance. Technical safeguards needed to protect electronic protected health information (ePHI) are notoriously vague in HIPAA's official guidelines. In addition, simply achieving compliance may not be enough. In a complex health network, it's relatively easy to move in and out of compliance in a matter of seconds.
CimTrak is a leading file integrity monitoring solution for healthcare organizations that want to maintain HIPAA compliance and stand prepared for complex security threats. With the help of CimTrak, security administrators can gain access to detailed forensic data on their endpoints, critical business applications, and more. As the only FIM solution to offer full remediation capabilities, CimTrak can enable security teams to stop cybercriminals in their tracks.
To learn more about HIPAA compliance and FIM, download our HIPAA solution brief today.
