The average global cost of a data breach per record for a health care organization is more than twice the average cost of breaches in other industries, according to a new report from the Ponemon Institute that was sponsored by IBM. In its 2015 Cost of Data Breach Study: Global Analysis, the Institute analyzed responses from 350 companies in 11 countries and calculated the average cost of a lost or stolen record to be $154; among health care organizations, however, the average could be as high as $363. Ponemon noted that data breaches can be expensive because they subject organizations to both direct costs, such as the price of credit monitoring for affected individuals, and indirect costs, including in-house investigations and customer turnover resulting from the breach. The report explored the relationship between costs and factors including churn rate and methods of responding to breaches.
Scope of the study
To conduct the study, the Institute conducted more than 1,500 separate interviews of information technology (IT), compliance, and security experts from the organizations over a 10-month period ending in March 2015. Although it focused on global trends, the report analyzed industry-related data, including that submitted by five organizations that belong to the health industry. The analysis revealed that there has been an overall 12 percent increase in per capita costs since 2013. It attributed increased costs to an increase in cyberattacks and related remediation costs, an increase in detection and escalation costs, and a greater impact of lost business.
Churn
The rate at which a business loses customers is referred to as its “churn rate.” Businesses in industries and countries that are “more vulnerable to churn” have a higher per capita cost of data breach. For 2015, health businesses that participated in the study had the highest overall abnormal churn rate at 6.1 percent, followed closely by the pharmaceutical and financial industries, at 6.0 percent and 5.6 percent. Although the report noted various trends in data breach cost components, including detection and escalation, notification, and ex-post response costs, it determined that lost business may have the most costly financial ramifications for businesses. In fact, the cost of lost business has increased over the years, from $1.23 million in fiscal year (FY) 2013 to $1.57 million in FY 2015. The report suggested that businesses subject to high churn rates could reduce breach costs “by putting an emphasis on customer retention activities to preserve reputation and brand value.”
Mitigating costs
The report also listed 11 factors that can increase or decrease the costs of a data breach in all industries. The authors noted that maintaining an incident response team saved the most money for businesses at $12.6 million. Extensive use of encryption saved $12 million. Engaging consultants, rushing to notify the public of data breaches, dealing with lost or stolen devices, and third party involvement were found to cost additional money.
The Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) requires covered entities and business associates to perform risk assessments to determine organizations’ vulnerability to risk and to determine the likelihood that protected health information (PHI) has been compromised. Heath industry experts have long suggested the importance of having a team in place both to protect PHI and to respond to and mitigate potential data breaches as soon as they are discovered.
Experts have also emphasized the importance of encryption. For example, Steven Marco, President of Modern Compliance Solutions, Inc., has suggested that more than two-thirds of breaches could be prevented with adequate encryption. Speaking at the Health Care Information and Management Systems Society’s (HIMSS) 2015 conference in Chicago, Adam Green, J.D., M.P.H. , Partner, Davis Wright Tremaine LLP, suggested that HHS Office of Civil Rights may be the government may lose patience with organizations whose breaches stem from the loss of unencrypted laptops because the need to encrypt is so well known.
Data breaches are becoming more common, not less. Ponemon will continue to monitor the cost of breaches on an annual basis.