- Healthcare data breaches can be devastating for any covered entity, but the subsequent recovery costs are often quite expensive. Implementing technological tools to aid in prevention and detection measures are not cheap, but not taking necessary steps to head off potential issues will likely result in more expensive recovery costs.
The three most recent Cost of a Data Breach Studies from Ponemon show that stolen healthcare records cost the most. In fact, in two out of three of those years the cost of a healthcare record was over twice the cost of the global average.
- 2015 results: $363 per stolen record, global average was $217
- 2016 results: $355 per stolen record, global average was $158
- 2017 results: $380 per stolen record, global average was $141
Heavily regulated industries are also consistently experiencing higher data breach costs. Healthcare and finance were in the top three highest per capita cost for data breaches for the past three years. In 2015, healthcare per capita cost was $398, it dropped to $355 in 2016, and again increased to $380 in 2017.
"Data breaches and the implications associated continue to be an unfortunate reality for today's businesses," Ponemon Institute Chairman and Founder Dr. Larry Ponemon said in a statement following the 2017 report’s release. "Year-over-year we see the tremendous cost burden that organizations face following a data breach.”
“Details from the report illustrate factors that impact the cost of a data breach, and as part of an organization's overall security strategy, they should consider these factors as they determine overall security strategy and ongoing investments in technology and services," he continued.
Malicious or criminal attacks were the leading cause of data breaches for the past three years as well, according to Ponemon research. Fifty-two percent of incidents in 2017 were caused by such attacks, with 48 percent of all incidents in 2016 coming from a malicious or criminal attack. In 2015, these incidents contributed to 49 percent of all data breaches.
Malicious or criminal attacks also lead to a higher average per capita data breach cost, Ponemon showed.
Incident response plans, data encryption utilization, employee training, and data loss prevention (DLP) technologies can all be essential tools for reducing data breach costs, Ponemon researchers stated in its reports.
Incident response plans
The HIPAA Security Rule requires covered entities to have a disaster recovery plan in place, along with a data backup plan and an emergency mode operation plan.
“Covered entities must have contingency plans that establish policies and procedures for responding to an emergency or other occurrence (fire, system failure and natural disaster) that damages systems that contain e-PHI,” HHS states on its website.
HIPAA also mandates that organizations have a response for natural disasters or emergencies. Strategies must be established for recovering or maintaining ePHI access “should the organization experience an emergency or other occurrence.”
For example, recovery discs or a cloud-based server should be considered. Backup generators could also be necessary if there are power outages.
Data encryption is considered an “addressable” requirement under HIPAA regulations, meaning that covered entities can determine through their risk analysis if data encryption is necessary for their operations. Should data encryption be found to not be necessary, the organization needs to document its reasoning, and then also implement an appropriate option in its place.
HHS states that valid encryption processes for data at rest and data in motion are consistent with NIST standards.
“Encryption can be applied granularly, such as to an individual file containing sensitive information, or broadly, such as encrypting all stored data,” NIST explains in its Guide to Storage Encryption Technologies for End User Devices. “The appropriate encryption solution for a particular situation depends primarily upon the type of storage, the amount of information that needs to be protected, the environments where the storage will be located, and the threats that need to be mitigated.”
Employee training is also a requirement under HIPAA regulations. Organizations are not required to adhere to one standardized training program, and healthcare entities can design an education and training program that fits their operational needs.
“A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI,” according to the Security Rule. “A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.”
Regular training such as bi-annual and/or monthly will be greatly beneficial for healthcare organizations of all sizes. Computer-based training, classroom training, monthly newsletters, and email updates are just several types of training tools entities can utilize.
Data loss prevention (DLP)
DLP solutions are becoming increasingly critical for organizations in numerous industries as cybersecurity threats continue to evolve in sophistication.
Sixty-three percent of respondents in a 2017 Ponemon and Metalogix report said having appropriate DLP technologies in place would be the most effective solution for breach prevention.
Furthermore, approximately three-quarters stated that the automated discovery of sensitive information would assist them in securing data. Seventy percent reported that the classification of sensitive data would help in securing information.
File sharing and cloud resource sharing require tight security controls, HealthITSecurity.com contributor Bill Kleyman explained in a 2017 article. Security measures must also be holistic and not impede user functionality.
Firewall management, DLP solutions, and strong file sharing controls can all help ensure secure access to central data repositories and greater controls.
“Working with file sharing doesn’t have to be a nightmare,” Kleyman wrote. “As the average doctor and patient becomes more connected, we’ll experience an even greater influx of data. Sharing information can absolutely be controlled through good security measures and best practices. They key is to constantly test your own security architecture and never, ever, become complacent.”