- Large-scale healthcare data breaches are not new to the healthcare industry, and healthcare cybersecurity attacks are becoming more intricate and difficult to predict. However, the initial attack is not always where the story ends for covered entities.
Healthcare providers could spend months or even years working to recover after a cybersecurity incident and may spend more money than expected on the recovery process.
Deloitte Cyber Risk Services recently published “Beneath the surface of a cyberattack: A deeper look at business impacts” to help show organizations that a data breach could have long-lasting effects and costs.
For example, one data breach scenario discussed in the report was at a health insurance provider. Deloitte calculated the total cost at over $1.6 billion over a five year timeframe.
John Gelinne, managing director in Deloitte Cyber Risk Services discussed the report with HealthITSecurity.com, and said that healthcare organizations may not always be aware of what the full impact of a data security incident may be.
Gelinne explained that even though more resources than ever are being focused on healthcare cybersecurity issues, it sometimes seems that many executives and board members cannot see that the risk posture in their organization may not be improving.
“Being prepared really starts with a clear picture of what could happen if you were breached,” he said. “Also that anticipating all of the financial impact in advance of a breach would help leaders map out where their greatest impacts are to fully understand the full financial impact.”
If organizations can model the impact based upon a cyber tech scenario with some level of fidelity, then presumably, they would be able to better understand their total risk exposure.
The research paper was also meant to allow healthcare organizations to paint a more realistic picture of the impacts and the direct impact of their cybersecurity investment, he added.
“In other words, let's do this analysis, let's understand where our most impactful areas are and let's redirect cybersecurity resources accordingly to protect those,” stated Gelinne. “Ultimately, you can't protect it all. You have to really understand what's the most important thing to protect? We came up with a methodology to do that.”
What is the ‘below the surface’ cost for healthcare organizations?
With healthcare data breaches specifically, Gelinne said that the above the surface cost has to do with the actual health records – the loss of a record.
“The general consensus is that we really have a better understanding of those costs because of the requirement to report that,” he noted. “Regulatory means, obviously, the public attention given to that because you are letting folks know that you’ve lost X number of records.”
Other costs include the breach notification process, as well as customer protection. Sometimes organizations will need to hire a PR firm after a breach, or hire outside counsel to help in their decision making process.
“Then of course is the impact associated with the cyber security improvements and putting your finger on the dyke to prevent more data from spewing out in the triage phase,” Gelinne added. “The initial round of cost and customers; we lumped those into the above the surface category of impact.”
The study also combined observations from hands on experience in supporting large-scale cyber incident response and recovery efforts with quantification evaluation methods that are used in the financial side.
“To do that, we pulled in our valuation side of Deloitte, which does this sort of work in terms of mergers and acquisitions and those kinds of things, so that we could quantify what we call the below the surface impact,” Gelinne said. “It’s not just the loss of a record. Even the healthcare industry has to deal with the impact of lost contracts or the impact of the devaluation of the company's trade name.”
Furthermore, the healthcare industry may also have to deal with operational disruption. Ransomware attacks, for example, can affect daily operations. Organizations may need to decide whether to pay a ransom or not in order to potentially continue patient care.
Other intangibles could come into play, according to Gelinne. Perhaps an organization wanted to expand, or merge with a buy, but it just experienced a breach. What is the impact if it wants to raise debt to do that strategic acquisition? What does it do the company’s credit rating?
“We lump those into the below the surface category that we believe tells the whole story,” he explained. You need to understand the whole story to be able to understand how best to invest in the space.”
Healthcare data security is not a ‘one size fits all’
Healthcare organizations need to review their own financial status and place it in a cyber attack scenario targeting what is most implausible for that particular company, Gelinne said. Once that is modeled and the evaluation analysis that is in the Deloitte paper is conducted, organizations can then calculate the impact that matters most to that particular company, in that particular industry, against that particular attack scenario.
“If you do that, then you can really tease out those impact factors that matter most,” he explained. “What data matters most? Once you know that, you can reinvest in that particular process as opposed to one that may be less business impactful.”
Gelinne added that he cannot tell an organization if it should invest in its data loss prevention program, or perhaps invest in an identity management program.
“The real answer is, let's understand the company's financial status and then let's figure out what types of technology falls from that,” he maintained. “Perhaps it might not even be technology. Perhaps it's just business, the people and processes. But the point is, it's more of a business approach to protecting the company.”
Different healthcare facilities will have different needs. For example, a rural provider in a small town is going to have different business requirements – and security requirements – than a large hospital in a metropolitan city.
That was what Deloitte strived to do with its research paper, Gelinne noted. The paper was very specific in the types of companies it discussed.
“It puts it in context as opposed to saying, ‘It’s a one size fits all’ approach,” he said. “It's not a one size fits. A single provider in a small rural area is completely apples and oranges to the scenario that we put in the paper. The point is, it's going to be tailored to suit what it is you do for a business in the industry, and making some reasonable financial assumptions around that and then being able to calculate the impact.”
Gelinne added that most of the impact will actually extend out well beyond the initial breach, perhaps even several years.
“We put a five year cap on it and that's why when you look at the number and you compare that to [other reports], it may seem big,” he explained. “The bottom line is when you talk about litigation down range, when you talk about the idea that you might have lost a contract down range…these things add up over time. We believe that duration is as equally important as impact.”