Risk
8/15/2010
05:26 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Analysis: Healthcare Breach Costs May Reach $800 Million

According to an analysis by the Health Information Trust Alliance (HITRUST), regulated health care organizations that have reported health information breaches of 500 or more people could cumulatively spend upwards of $1 billion in related costs.

According to an analysis by the Health Information Trust Alliance (HITRUST), regulated health care organizations that have reported health information breaches of 500 or more people could cumulatively spend upwards of $1 billion in related costs.Since the Health Information Technology for Economic and Clinical Health Act or HITECH Act of 2009 came to being, a number of new privacy, security and reporting and non-compliance penalty provisions went into effect. And as summarized by this report from HITRSUT, there have been 108 entities who have reported security breaches since September of last year.

Those breaches comprise about 4 million people and records.

In the analysis, Chris Hourihan Manager, CSF Development and Operations, HITRUST used the 2009 Ponemon Institute Cost of a Data Breach Study [.pdf], which found the average cost for each record within a data breach to be $204. That's $144 of indirect costs and $60 of direct costs. An overview of the Ponemon study is available here.

By doing the math on the HITECH related breaches, Hourihan estimates that the total cost for all organizations could reach $834 million: $245 million in direct costs for everyone and $2.3 million to $7.7 million in indirect costs.

While the trigger for breach notification is risk based, Hourihan estimates that health care organizations are being extremely cautious, and erring on the side of publicly reporting breaches, rather than being more conservative:

It is important to note that what constitutes a breach and is subsequently reported to the [Health and Human Services] Secretary: an organization believes the incident "poses a significant risk of financial, reputational, or other harm to the individual;" this does not mean some form of harm has been enacted upon everyone or even anyone affected. While this provides the possibility for an organization to not notify individuals-if the organization performs a risk assessment and determines the risk of harm is significantly low-organizations appear to be erring on the side of caution and providing notice to the individuals and Secretary regardless. In one specific instance with Rainbow Hospice and Palliative Care, the laptop that was stolen was in fact encrypted, yet notice was still provided.

In breaking down the data breaches by how they occurred, Hourihan also found the majority of breaches to be by loss and theft:

Looking at the cross-section of these categories and focusing first on simply the number of breaches experienced, the theft of laptops was the number one cause resulting in a total of 32 breaches reported. The next closest leading causes are theft of desktop computers and theft of removable media resulting in 10 and 12 breaches respectively. The total number of thefts reported is an astonishing 68 or 63% of all breaches.

With those costs in mind, and the hassles associated with breach notification, it would seem more health care organizations would turn to encrypting of data at rest - and banning the use of notebooks and removable media for protected patient medical information.

For my security and technology observations throughout the day, you can find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.