Data breaches in healthcare are the most expensive to remediate and growing more so, according to a new report on data insecurity by the Ponemon Institute. The study covers 350 companies in 11 countries across 16 industries.
Worldwide, the average cost of a healthcare breach is $363 per exposed personally identifiable record, the Traverse City, Mich.-based researcher concludes in its “2015 Cost of Data Breach Study: Global Analysis” sponsored by IBM. In the U.S. healthcare industry, the average cost was $398.
In contrast, globally, the average cost of a data breach across all industries is $154. At $68, the loss of public sector records are the least costly, the report author said.
Retail's average cost is near the middle, at $165, but it's up dramatically from $105, a 57% increase, during the prior year's report. Per capita breach costs for all industries and countries increased by 12% during the same period.
The study is based on survey data gathered in 2014 from the United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, United Arab Emirates and Saudi Arabia. Ponemon researchers steered clear of firms that experienced massive data breaches to try to come up with realistic estimates of breach costs. All participating organizations experienced a breach, however, ranging in size from 2,200 to slightly more than 101,000 records.
The 5th annual breach study by Ponemon did not follow the same companies year over year, making it difficult to rely upon the study for trend data. Ponemon notes that breaches by hackers and what its authors called “criminal insiders” increased to 47% of all breaches reported in this year's study, up from 42% in the prior year's study report. Remediation costs for crime-linked breaches rose as well, to an average of $170 per record from $159.
Companies in the two Arab countries, counted as a cluster, had the highest proportion, 57%, of their breaches caused by malicious or criminal attacks. France followed at 55%. The U.S. ranked 5th at 49%.
The U.S. nosed out Germany as the country with the highest average breach cost across all industries at $217 compared with $211 per record, respectively, the study showed.
The Ponemon findings that healthcare data breaches would carry the highest costs for remediation comes as no surprise to security expert Chris White, senior lead engineer of commercial data protection services at Booz Allen Hamilton. In Europe, for example, privacy laws are even more stringent that in the U.S.
“There is something inherent to the human condition that says health information is some of our most private information,” White said. “The other piece is the damage that could be done with personal information.” Black market prices for medical records can run 10 times those of personally identifiable information from hacks in other industries. “A lot of it has to do with the depth of information that can be gleaned from them” and used by criminal for identity and medical identity theft.
Given that healthcare trailed other industries in the adoption of information technology, but has boned up on tech in the past three to five years, “it's a logical leap for some of the attackers” to target health IT systems, White said.