Why Health Care Faces the Most Costly Data Breaches
Cybercrime’s estimated cost to the global economy is more than $400 billion per year, according to a McAfee report. While we often hear about hacks at big retailers such as Target and Home Depot, the retail sector doesn’t face the biggest losses as a result of breaches. One of the major problems with cyber crime across industries is a lack of reporting or slowness in reporting. Many companies may fear a scarred reputation, but this lack of transparency only makes breaches harder to investigate and more likely to happen again.
The debate continues over when to share information, how to share it, and between which parties. Many cite the lack of effective legislation as well as poor investment in security on the part of businesses as important drivers behind costly data breaches. According to Experian’s Data Breach Industry Forecast, in the absence of regulatory action on the federal level, states will likely experiment with new data breach laws in the coming year. Companies currently face a confusing patchwork of data breach laws across 47 states.
These attacks pose a number of dangers to customers, companies, and entire industries, with the monetary cost being just one. But which industries are being hit the hardest?
The top three industries most affected by cyber attacks are public, information, and financial services, according to Verizon’s 2015 Data Breach Investigations Report. However, in this report, the most impacted industries are measured by the number of incidents, not the cost or severity of those incidents.
A study by Ponemon Institute, on the other hand, looks at the industries that faced the highest per capita data breach costs. According to the report, “Per capita cost is defined as the total cost of data breach divided by the size of the data breach (i.e., the number of lost or stolen records).” Many sectors come in above the overall mean of $145 per capita. Among the most damaged by breaches, you do not find retail, but there is a clear leader when it comes to costs: health care.
With the recent, high-profile data breaches happening at health care companies such as Anthem and Premera Blue Cross, it’s difficult to ignore this trend. In May 2015, CareFirst became the third major health insurer to disclose a cyber attack, which the company says could impact more than 1 million patients. Several smaller health care organizations reportedly faced cybersecurity incidents that could still be affecting patients, and US Healthworks suffered from a breach in April 2015 all because one unencrypted laptop was stolen from an employee’s vehicle.
Many argue the health care industry is behind when it comes to information security, putting it at greater risk. This year, the FBI released a private notice to the health care industry warning providers that their cyber security systems are lax in contrast to other sectors. According to the Experian forecast, the threat level for health care organizations is rising, and data breach costs could top $5.6 billion in 2015.
Here’s why Experian says the risk to health care companies is growing:
“We expect healthcare breaches will increase — both due to potential economic gain and digitization of records. Increased movement to electronic medical records (EMRs), and the introduction of wearable technologies introduced millions of individuals into the healthcare system and, in return, increased the potential for data breaches.”
Other sectors have faced data breaches in larger numbers, but an analysis by Benjamin Dean, a fellow at Columbia University’s School of International and Public Affairs, shows how large retail companies don’t incur as much monetary damage as it seems. Take Target, for example. The retailer’s final expenses as a result of being hacked totaled $105 million after insurance compensation and tax deductions. Dean says, “This is the equivalent of 0.1% of 2014 sales.”
Of course there are also hidden costs of any breach, like a damaged reputation and rising insurance rates. For the health care industry, the personal information leaked in cyber attacks can cause a degree of damage other industries rarely see. Consumer data held by health care companies goes beyond credit card numbers and financial information, to sensitive details of people’s prescriptions, medical histories, and illnesses.
Regardless of where data breaches happen, the debate over reporting information is an essential one.
After its breach, which exposed 80 million records, Anthem decided to share the information as soon as possible, even though this is not the norm. According to an article in The Wall Street Journal, federal law requires health care companies to inform consumers and regulators of a data breach only if it involves personally identifiable information, and the report is permitted to occur as long as 60 days after a hack is discovered.