Two recently published reports discuss the high costs healthcare organizations incur due to a data breach. The Department of Health and Human Services estimates that it takes a breached organization a full year to recover. From fines and lawsuits, to having to rebuild the hospital’s image, it is hours of work at a high cost. Both studies however, found that there is a way to mitigate these costs and resolve the issue before it starts – better data security and privacy controls.

In July 2018, the Ponemon Institute published a report analyzing the costs of data breaches that have occurred over the 12 months preceding the report.[1] The Institute discovered three things –  (i) that faster identification of a data breach reduced costs, (ii) hackers and criminal insiders caused the most data breaches (48%), and (iii) the loss of customers had significant financial consequences on the organization. [2]

Moreover, after breaches, organizations can lose customers, which hurts their bottom line. The average cost of organizations losing less than one percent of their customers was $2.8 million; however, the average cost increased to $6 million if the organization lost four percent or more of their customers due to a data breach. The average organizational cost for a data breach in the United States was $7.91 million.[3] The healthcare industry had the highest rate of customer churn (6.7%) associated with a data breach, while the average customer churn rate associated with a breach was 3.4%.[4]

The cost of remediating a breach is also high with the U.S. having the highest notification costs associated with breaches at $740,000.[5] Heavily regulated industries such as healthcare have the highest costs associated with data breaches. The per capita cost for each record breached in the healthcare sector was $408.[6] The healthcare sector also had the highest average time to contain a breach at 100 days and the second highest average time to identify a breach, at 255 days.[7]

Part of the costs of managing a breach include marketing and advertising. In a recent report from the American Journal of Managed Care, it was found that hospitals spend 64% more annually on advertising after a data breach over the following two years. This increase is due to the cost that comes with repairing the hospital’s image and trying to minimize patient loss to competitors. [8]

A common theme from both reports is that the deployment of additional and more advanced security controls can mitigate breach costs. The Ponemon Institute stated that the “deployment of an artificial intelligence platform as part of a security automation solution” influenced the cost of a data breach.  The Institute found that “deployment of an AI platformed saved $8 per compromised record.”[9] Similarly, the American Journal of Managed Care researchers wrote that “advertising costs subsequent to a breach are another cost to the healthcare system that could be avoided with better data security.”

The Ponemon Institute also found the cost of a data breach is lower, the faster the breach is identified. Companies that identified a breach in less than 100 days saved more than $1 million when compared to companies that took over 100 days. [10] The best way to mitigate the costs of a breach is by having the proper policies and solutions in place to identify a data breach early. Quick identification could result in millions of dollars being saved as a hospital works to rebuild their   business and image following a breach.

[1] Ponemon Institute. (2018, July). 2018 Cost of a Data Breach Study: Global Overview. Retrieved from https://www.ibm.com/security/data-breach

[2] Ponemon Institute, 2018, pp. 9-10

[3] Ponemon Institute, 2018, p. 15

[4] Ponemon Institute, 2018 p. 25

[5] Ponemon Institute, 2018 p. 27

[6]  Ponemon Institute, 2018 p. 18

[7] Ponemon Institute, 2018 p. 35

[8] Health IT Security (2019, January), Hospitals Spend 64% More on Advertising After a Data Breach https://healthitsecurity.com/news/hospitals-spend-64-more-on-advertising-after-a-data-breach

[9] Ponemon Institute, 2018, p. 22

[10] Ponemon Institute, 2018, p. 9