Since this time last year, some 6.6 million unsecured records have been exposed, in a variety of incidents, ranging from deliberate hacking, through theft of laptops down to the slightly less dramatic loss of paper records.
The US Department of Health and Human Services, in response to part 13402(e)(4) of the HITECH Act, posts information on exposures of unsecured health information affecting 500 or more individuals. It can make for interesting reading.
Out of the 122 reported events, 62 were the result of direct theft, usually of a laptop. In these cases, there is a very good chance the thief was more interested in the value of the laptop than they were in the value of the records on it, but the cost of replacing the laptop itself is for the health provider, insignificant compared to the cost of the records.
Estimates of the financial impact of any breach vary and are usually hotly debated. But there are some general broad brush figures that can be applied to determine how much those lost laptops really do cost.
The Ponemon institute’s figures lie at $206 per record. This includes both direct costs and indirect financial impacts, which is usually where the debate gets heated. At a recent webinar on cyber liability insurance, Jake Kouns, CEO of the Open Security Foundation and one of the coordinators of datalossdb.com, suggested that a more conservative number might be found in the low $70 per range; at least as an average.
Whichever number you pick, it’s easy to see that the healthcare industry in the U.S. is starting to face a significant price tag for the loss of unsecured protected data. At the $75 per level, U.S. providers faced the over $490 million in costs. If, instead, we use Ponemon’s total cost estimate, at $206 per record, that cost rises to over $1.3 billion.
Now that’s $1.3 billion dollars in costs that are sunk just to remediate from breaches that are, on the whole, entirely preventable. Many breaches happen as the result of simple accidents. In fact, while much gets written on the subject of malicious insiders, you are far more likely to suffer a breach from a well-intentioned employee simply making a mistake. According to figures from the Open Security Foundation, more than twice as likely.
What’s making the prevention of these breaches even more complex is the increasingly interconnected nature of the healthcare business. As information is shared with more and more third parties, the risk of these breaches continues to escalate.
Look no further that the painful experience of Stanford Hospital and Clinics in early September: 20,000 records were exposed by a third-party billing company. An employee of that firm appears to have left them up on a public website for about a year.
It’s that kind of breach that is costing both money and doing significant damage to the reputation of healthcare organizations; something they can ill afford.
As organizations come to grips with the breach notification requirements of HITECH, expect to see increasing visibility for healthcare breaches, and quite possibly ever larger estimates for the costs to the industry. Whether you pick $75 per record, $206, or something in between, the numbers are significant.
Worse, perhaps, is that for 6.6 million Americans in the last 12 months, breaches cost them their medical privacy, too.
Geoff Webb has over 20 years of experience in the tech industry and is a senior member of the product marketing team at Credant Technologies. Geoff provides commentary on security and compliance trends for such journals and websites as: eSecurityPlanet, CIO Update, The Tech Herald, Compliance Authority, Virtual Strategy Magazine, and many others.
Prior to Credant, Geoff held management positions at NetIQ, FutureSoft, SurfControl and JSB. Geoff holds a combined bachelor of science degree in computer science and prehistoric archaeology from the University of Liverpool.