Risk
8/15/2010
05:26 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Analysis: Healthcare Breach Costs May Reach $800 Million

According to an analysis by the Health Information Trust Alliance (HITRUST), regulated health care organizations that have reported health information breaches of 500 or more people could cumulatively spend upwards of $1 billion in related costs.

According to an analysis by the Health Information Trust Alliance (HITRUST), regulated health care organizations that have reported health information breaches of 500 or more people could cumulatively spend upwards of $1 billion in related costs.Since the Health Information Technology for Economic and Clinical Health Act or HITECH Act of 2009 came to being, a number of new privacy, security and reporting and non-compliance penalty provisions went into effect. And as summarized by this report from HITRSUT, there have been 108 entities who have reported security breaches since September of last year.

Those breaches comprise about 4 million people and records.

In the analysis, Chris Hourihan Manager, CSF Development and Operations, HITRUST used the 2009 Ponemon Institute Cost of a Data Breach Study [.pdf], which found the average cost for each record within a data breach to be $204. That's $144 of indirect costs and $60 of direct costs. An overview of the Ponemon study is available here.

By doing the math on the HITECH related breaches, Hourihan estimates that the total cost for all organizations could reach $834 million: $245 million in direct costs for everyone and $2.3 million to $7.7 million in indirect costs.

While the trigger for breach notification is risk based, Hourihan estimates that health care organizations are being extremely cautious, and erring on the side of publicly reporting breaches, rather than being more conservative:

It is important to note that what constitutes a breach and is subsequently reported to the [Health and Human Services] Secretary: an organization believes the incident "poses a significant risk of financial, reputational, or other harm to the individual;" this does not mean some form of harm has been enacted upon everyone or even anyone affected. While this provides the possibility for an organization to not notify individuals-if the organization performs a risk assessment and determines the risk of harm is significantly low-organizations appear to be erring on the side of caution and providing notice to the individuals and Secretary regardless. In one specific instance with Rainbow Hospice and Palliative Care, the laptop that was stolen was in fact encrypted, yet notice was still provided.

In breaking down the data breaches by how they occurred, Hourihan also found the majority of breaches to be by loss and theft:

Looking at the cross-section of these categories and focusing first on simply the number of breaches experienced, the theft of laptops was the number one cause resulting in a total of 32 breaches reported. The next closest leading causes are theft of desktop computers and theft of removable media resulting in 10 and 12 breaches respectively. The total number of thefts reported is an astonishing 68 or 63% of all breaches.

With those costs in mind, and the hassles associated with breach notification, it would seem more health care organizations would turn to encrypting of data at rest - and banning the use of notebooks and removable media for protected patient medical information.

For my security and technology observations throughout the day, you can find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5027
Published: 2014-12-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2062. Reason: This candidate is a reservation duplicate of CVE-2010-2062. Notes: All CVE users should reference CVE-2010-2062 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2010-1441
Published: 2014-12-26
Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.

CVE-2010-1442
Published: 2014-12-26
VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.

CVE-2010-1443
Published: 2014-12-26
The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format...

CVE-2010-1444
Published: 2014-12-26
The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.