Healthcare Data Breaches by the Numbers

Written by CISOSHARE

October 29, 2020

25 min read

Every year IBM Security sponsors and publishes the Cost of a Data Breach Report based on research from the Ponemon Institute. The report for 2020 is an 84-page resource with valuable information regarding not only the cost of breaches, but also insight into mitigating factors, and data breach trends.

This article takes a focused look into data for the healthcare and pharmaceutical industries as provided by the report, as well as security recommendations to help reduce any financial and brand impacts.

The reason for focusing on the healthcare and pharmaceutical industries is two-fold.

First, there’s a growing demand for security consulting services across both industries.

Second, healthcare on its own has the highest cost impact of breaches when compared to all other industries, and pharma isn’t far behind.

To add to this, both of these industries have seen an unprecedented rise in attacks during the COVID-19 pandemic. Opportunist cyber criminals have heavily targeted this vulnerable sector.

In terms of money, the cost of a breach in healthcare is around $7.13 million, which is nearly double the average breach cost in all industries at $3.86 million.

While the costs of a breach in energy and financial industries follow just after healthcare, pharma lands in 4th place at an average of $5.06 million cost per breach.

Of all the types of data that were compromised in these breaches, patient and customer personally identifiable information (PII) was not only the most frequently compromised but also the costliest.

The average cost per lost or stolen record was $150 for data that included not only a patient’s name and other PII, but also health records, policy details, and payment information.

An already challenging situation has been compounded with the mass movement to remote work as a result of the COVID-19 pandemic.

What was already a long and drawn-out process of recovering from breaches is only prolonged with the task of coordinating with employees and personnel remotely.

Of the security leaders and experts interviewed for the 2020 Cost of a Data Breach Report, 70% expect cost increases because of a fully remote workforce, while 76% expect even longer delays to response time for the same reason. So far, the scramble to adapt to remote work is already responsible for an estimated $137,000 of the total average cost per breach.

The financial cost per breach can be alarming; so too is the time it takes to both detect and contain them.

Compared to the average of 280 days across all industries, it takes healthcare an average of 329 days to identify and contain breaches. Within that timeframe, detection accounts for 236 of those days, while it takes an additional 93 days to contain the breach.

In pharma, recovery time is below the average across all industries but it still takes 191 days to identify a breach and 66 days to contain it for a grand  total of 257 days.

Work with a team of experts See how cyber security services can protect your organization.

Cost Factors and Security Recommendations

What’s actually factored into the total cost of breaches, and how can security leaders better prepare themselves?

There are dozens of factors to consider, but we’ve identified a few key areas.

Complex security systems. Listed as a cost amplifying factor, security system complexity had the biggest impact on the cost of a breach. With systems comprising of multiple technologies and lack of in-house expertise, it’s critical to understand how all your security safeguards and technologies work together to meet your business objectives.

Compliance failures. Lack of effective adherence to HIPAA and other frameworks or regulations is another factor that can amplify costs. Stay on top of the evolving security landscape with tools and methodology that don’t just check a box, but ensure that actions and plans are in place to truly secure your organization.

Third-party breach. One of the potentially most time-consuming cost amplifying factors deals with an organization’s third-party risk management capability. Risks and vulnerabilities among your vendors, suppliers, or other third-party environments can quickly become risks and vulnerabilities that affect your environment.

Security skills shortage, incident response team formation, and CISO appointment. Lastly, considered cost mitigating factors, these all deal with staffing and resource capability. If breaches help organizations in any thing, it’s in the addition of resources. Most organizations staff up immediately in their security teams as a response to a breach in the hopes of better responding to and remediating issues. A proactive approach is immensely less costly. Virtual CISO services and security team staffing allow organizations to focus on the core business while cyber security experts fortify an organization’s security capabilities.

Incidents and breaches can happen to any organization, regardless of size or industry. There’s a lot of work that must go into the maturity and capability needed to absorb attacks with minimal damage.

Organizational leadership must consider the increasing costs of breach recovery and make decisions that help move security programs forward.

Download our full-size Data Breaches in Healthcare and Pharma infographic.

All data presented in this article is according to the Cost of a Data Breach Report sponsored and published by IBM Security.