Data breach costs continue to rise across healthcare industry

But a study from IBM Security and the Ponemon Institute finds that orgs with a solid incident response plan had $1.23 million less in breach costs than those that didn't.
By Nathan Eddy
11:00 AM

The healthcare industry had the highest cost of a data breach for the ninth consecutive year, costing organizations nearly $6.5 million on average – more than 60 percent higher than other industries.

These were among the findings of the "Cost of a Data Breach Report" from IBM Security and Ponemon Institute, which also revealed it took the healthcare industry 236 days to identify a breach and 83 days on average to contain a breach on average--nearly two months longer than the average across other industries.

Christopher Scott, chief technology officer and global remediation lead at IBM X-Force IRIS, told Healthcare IT News the healthcare industry is a "hot target" for cybercriminals because protected health information has an excellent resale value on the black market.

"Unlike passwords that can be changed or credit cards that can be reset with an expiration date, health data lasts forever and can be used for numerous malicious activities such as identity theft, insurance and health care fraud, and more," Scott explained.

He said one area of improvement that healthcare organizations could consider is the adoption of security automation tools, which was shown to be a cost saving factor amongst the organizations surveyed.

According to the report, only 15 percent of healthcare organizations said they fully deployed security automation technologies, and half said they have not deployed automated security tools at all.

Scott noted implementing proper incident response planning must be made a priority among C-Suite level and upper management executives.

The report found companies with an incident response team who also extensively tested their incident response plan experienced $1.23 million less in data breach costs on average than those that had neither measure in place.

"However, reports have shown that the majority of companies still don't have a comprehensive incident response plan applied across their entire organization, meaning these plans are often siloed or ad-hoc," Scott explained.

He said having a consistent plan that spans business units and functions like legal, finance, HR, communications and the C-Suite, is critical to responding quickly and effectively to an attack.

Scott also warned the threat landscape would likely continue to become more complex and sophisticated, as the value of personal data remains high and cybercriminals are becoming increasingly well organized and well-funded.

With more than 11 billion records leaked in data breaches over the past 3 years, companies are facing increasing scrutiny from consumers and regulators alike and will likely face growing cost, brand damage and regulation as a result.

"These costs may be growing even more in the wake of increasingly strict regulations, as we've seen regulators in both the US and the UK imposing record-breaking fines on companies for data breaches in the past few weeks alone," Scott said.

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer:
Twitter: @dropdeaded209

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.