So What Is the Most Costly Type of Data in a Data Breach? … Health-related

If there is one area that data could be used to transform our lives, it is in health care. With the increased flow of data, we could…

So What Is the Most Costly Type of Data in a Data Breach? … Health-related

If there is one area that data could be used to transform our lives, it is in health care. With the increased flow of data, we could preemptively detect the early signs of illness, or identity better whether interventions in health care actually improve things. But with this, we bring great risks in breaching the rights of the citizen to have their health care data treated in way that respects their rights to privacy. Unfortunately the data infrastructures that we have created often have little respect for properly encrypting and anonymising the data used in health care, and we thus risk major data breaches of citizen data, and which could damage future plans (and can lead to significant costs for health care providers).

In terms of sensitive data, health information is one of the most sensitive in terms of its scope:

You may think that your credit card details are the most precocious thing that a hacker can gain, but think again, as your health care record is probably worth a great deal more. Well the Ponemon Institute and IBM have just released their finding for health care data breaches for 2018, and it doesn’t make comfortable reading [here]:

A cost of $148 per record has increased the costs by 6.4% than 2017 (the average cost of a data breach is $3.86 million), but there’s a $14 per record saving if it involves an incident response team. South Africa had the worst track record in breaches (43%), while Germany had the best (14.3%).

Good investments?

The study found that the mean time to identify (MTTI) was 197 days (over six months), then thee mean time to contain (MTTC) was 69 days (over two months). Those who managed to contain a breach to within 30 days were identified as having considerable overall savings in their costs.

But many saw that the cost of Cyber Security is a saving in the long-term, but what are good investments in terms of data breaches. Well having an incident response team, using encryption, user training and threat sharing are all good investments, and moving to the Cloud, having third-parties involved, compliance failures and lost/stolen devices all lead to increased costs:

Perhaps worrying is the rust to report, especially with the requirement to report within 72 hours through GDPR. In terms of costings, Poneman classified these into four key areas:

  1. Detection and escalation. This includes the costs of auditing, incident response costs, and so on.
  2. Post data breach response. This includes the cost of providing help and support for those affected by the breach.
  3. Notification costs. This includes the costs of informing the organisation and individual affected (data subjects), including associated legal costs.
  4. Lost business cost. This includes the general loss of future business through brand reputation, and so on.

In terms of the factors which affected the overall cost of the breach, Poneman found that these were the key factors:

  • The unexpected loss of customers following a data breach.
  • The size of the breach or the number of records lost or stolen .
  • The time it takes to identify and contain a data breach.
  • Effective management of detection and escalation costs.
  • Effective management of post data breach costs.

Abnormal churn

The bottom line for many companies is the loss of business and loss of customers. For abnormal churn — which relates to a greater than average loss of customers — increased by 3.4% (with France, Japan and Italy having the highest abnormal churn rate), and highlights a significant factor in data loss. In health care and finance we see the greatest churn rate, with entertainment and the media having the lowest rates:

Who is hit hardest?

As expected it is the highly regulated industries such as health care and the financial sector that have the most costly breaches, as fines can be heavy in these industries (along with a higher cost to their business). The Ponemon survey highlights that those who invest in DLP and encryption, often have a low cost to their breaches. Overall health care data breaches bring the largest costs per lost record, with $408 per record in healthcare, $166 in education, and $75 in the public sector:

And who causes the breaches?

As with previous years [here], almost half of all breaches are related to a hacker or criminal insiders (48%), with system glitches and human error accounting for the rest:

Mexico, USA and France had the highest rate of malicious attack (52%-61%), Turkey had the highest for system glitches (33%), and Italy has the highest rate for human error (35%).

Conclusions

The largest cost to the business is still lost business, and they report that the cost of detection and escalation have both increased over the past few years. It can be seen that the areas where customers will move away from organisations are in health care and finance, and while the finance industry has invested significantly in security operations over the past few years, one wonders if health care is doing the same.

Citizens should have increasing rights to their own health and social care pathway, but also need the data associated to be protected. We need new ways of protecting that data, and build new systems which protect, while support. An investment in DLP (Data Loss Prevention), Encryption and Incident Response teams can considerably save money on the costs of breaches.

Here is my little analysis here.

And here is our Delphi methodology for understanding risks in health care.