Data breach. Those two words alone can evoke nightmarish visions. But actually quantifying a data breach — measuring its true cost — is a complex science, inexact at best, especially in the healthcare industry.
Underscoring the subjective nature of this issue are two recent studies by prominent researchers Ponemon and Verizon. The Ponemon Institute estimated a data breach impact of $217 per record in its 2015 Data Breach Study, while Verizon estimated just 58 cents per record in its 2015 Data Breach Investigation Report (DBIR).
Why the huge difference? It turns out it’s all about how the data is collected.
Some experts say this night-and-day disparity is due to conflicting data-collection methods. In this case, one method took into account the “soft costs” of the breach, while the other did not. These subordinate costs may include damage to reputation, loss of trust and funding sources, decreased customer loyalty, and increased staff turnover. When all of these ancillary costs are included, their sum can have a huge economic impact.
Steps to take
It’s important to recognize the differences between soft and hard costs, while simultaneously understanding the potential impact of both. This process is aided by three critical steps:
- identify emerging threats
- develop and implement strategies to reduce risk
- assess technology, people and processes
Furthermore, any worthwhile discussion of recovery costs should include the costs of credit monitoring, call center, mail house, advertisement in certain media (as required by HIPAA), legal advice, compliance with laws, public relations impact, and defense costs.
Internal assessments are imperative
In order to make informed decisions that will help determine the level of protection required to protect patient data, healthcare organizations must conduct their own risk assessments to estimate potential costs. Outside studies can augment this data and offer helpful information for measuring the costs of breach and calculating risk exposure. Any list of best practices for conducting solid risk assessments should include technology requirements, monitoring policies, mediation steps, and effective security procedures.
Vigilance is key
When it comes to information security, healthcare organizations should take a proactive stance, ideally in order to understand, assess and avoid the costs of a breach before it occurs. Furthermore, remaining vigilant means that an organization will be more likely to have the proper tools in place to deal with a data breach if one should occur.
This means being able to follow these steps:
- Recognize and justify the cost of protection — including technology, multidisciplinary training, security policies and procedures.
- Apply best practices to help ensure cost-effective, efficient response in case of breach — proper notification to government agencies, individuals, and legal counsel, along with remediation planning.
- Assess recent incidents, emerging issues, relevant research and unique risks associated with breaches in healthcare.
- Discover resources for predicting costs of cyber-attack and develop tactics for prevention.
- Identify and describe the hard and soft costs of breach — differences between direct and indirect costs, and examples of the impact on your specific type of organization and populations served.
- Define a strategy for conducting internal risk assessments to identify security gaps, address leaks, project potential costs and support investment in prevention.
At the end of the day, healthcare organizations must be able to construct both hard- and soft-cost summary tables and conduct internal risk assessments. This data will help to build a best practices handbook and a critical checklist for managing a breach.