Risk
8/15/2010
05:26 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Analysis: Healthcare Breach Costs May Reach $800 Million

According to an analysis by the Health Information Trust Alliance (HITRUST), regulated health care organizations that have reported health information breaches of 500 or more people could cumulatively spend upwards of $1 billion in related costs.

According to an analysis by the Health Information Trust Alliance (HITRUST), regulated health care organizations that have reported health information breaches of 500 or more people could cumulatively spend upwards of $1 billion in related costs.Since the Health Information Technology for Economic and Clinical Health Act or HITECH Act of 2009 came to being, a number of new privacy, security and reporting and non-compliance penalty provisions went into effect. And as summarized by this report from HITRSUT, there have been 108 entities who have reported security breaches since September of last year.

Those breaches comprise about 4 million people and records.

In the analysis, Chris Hourihan Manager, CSF Development and Operations, HITRUST used the 2009 Ponemon Institute Cost of a Data Breach Study [.pdf], which found the average cost for each record within a data breach to be $204. That's $144 of indirect costs and $60 of direct costs. An overview of the Ponemon study is available here.

By doing the math on the HITECH related breaches, Hourihan estimates that the total cost for all organizations could reach $834 million: $245 million in direct costs for everyone and $2.3 million to $7.7 million in indirect costs.

While the trigger for breach notification is risk based, Hourihan estimates that health care organizations are being extremely cautious, and erring on the side of publicly reporting breaches, rather than being more conservative:

It is important to note that what constitutes a breach and is subsequently reported to the [Health and Human Services] Secretary: an organization believes the incident "poses a significant risk of financial, reputational, or other harm to the individual;" this does not mean some form of harm has been enacted upon everyone or even anyone affected. While this provides the possibility for an organization to not notify individuals-if the organization performs a risk assessment and determines the risk of harm is significantly low-organizations appear to be erring on the side of caution and providing notice to the individuals and Secretary regardless. In one specific instance with Rainbow Hospice and Palliative Care, the laptop that was stolen was in fact encrypted, yet notice was still provided.

In breaking down the data breaches by how they occurred, Hourihan also found the majority of breaches to be by loss and theft:

Looking at the cross-section of these categories and focusing first on simply the number of breaches experienced, the theft of laptops was the number one cause resulting in a total of 32 breaches reported. The next closest leading causes are theft of desktop computers and theft of removable media resulting in 10 and 12 breaches respectively. The total number of thefts reported is an astonishing 68 or 63% of all breaches.

With those costs in mind, and the hassles associated with breach notification, it would seem more health care organizations would turn to encrypting of data at rest - and banning the use of notebooks and removable media for protected patient medical information.

For my security and technology observations throughout the day, you can find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9605
Published: 2015-09-04
WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) character in the login and password parameters to webup...

CVE-2015-5612
Published: 2015-09-04
Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via the caption tag of a profile image.

CVE-2015-5688
Published: 2015-09-04
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI.

CVE-2015-6807
Published: 2015-09-04
Cross-site scripting (XSS) vulnerability in the Mass Contact module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer mass contact" permission to inject arbitrary web script or HTML via a category label.

CVE-2015-6808
Published: 2015-09-04
Cross-site scripting (XSS) vulnerability in the Spotlight module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a node title.

Dark Reading Radio
Archived Dark Reading Radio
Another Black Hat is in the books and Dark Reading was there. Join the editors as they share their top stories, biggest lessons, and best conversations from the premier security conference.