Once Again, Healthcare Is the Winner – Coming in at $380 per Stolen Record
I’m really not sure why the healthcare industry doesn’t seem to be able to get a handle on cybersecurity. Following the healthcare industry, with its individual stolen record cost of $380 per record, the education industry had the second stolen record cost last year, averaging $246 per record. Financial services came third, with an average of $221 per record.
These are the results from the 2017 Cost of a Data Breach Study: Global Overview, underwritten by IBM and conducted by the Ponemon Institute. The average cost of a data breach is $3.62 million globally, which shows a 10 percent decline from the 2016 survey.
The healthcare industry data breach cost of $380 per record is more than 2.5 times the global average across industries, at $141 per record. The average in the US is $225 per compromised record – healthcare is still much more costly. By the way, the total average organizational cost of a data breach in the US has hit a new high, at $7.35 million.
Also interesting in the report was which factors influence a data breach. Third-party error, compliance failure, extensive migration to the cloud, rush to notify, and lost or stolen devices increased data breach costs by more than $10 per compromised record.
What do those factors indicate? Third party error, compliance failure, and extensive migration to the cloud are all highly dependent on the quality and accuracy of metadata, and organizations often do not have tools capable of generating meaningful metadata and classifying that data against a taxonomy, or hierarchical categories.
Third-party error may be questionable, unless the communication of sensitive information or privacy data to an unauthorized third party was a factor. Secure collaboration is often overlooked as a data breach opportunity waiting to happen. The average organization has 74 business partners. It is quite easy to accidently share information that is contained within a document, simply because the person sharing it was not aware that it contained sensitive information.
You know, where the factors are rush to notify, and lost or stolen devices, I would ask who is in a rush to notify whom? US organizations are notorious for either claiming not to know they even had a data breach or keeping it secret. Look at Yahoo and Uber. I’m surprised they told anyone at all.
And I don’t understand why people are continually losing equipment that contains confidential information. In the case of a healthcare data breach, this can happen to an organization two or three times, and each time a fine is issued. So how can that be?
We can’t address these last two factors, but we can deal with the others. Isn’t it time for you to eliminate a significant hole in your cybersecurity defenses? If you are in a healthcare organization, I suggest you think about doing it sooner rather than later. You may be interested in reading the Insight Into Healthcare Security article we have just published.
Our webinars also address the topics explored in our blogs. Access all our webinar recordings and presentation slides at any time, from our website, in the Recorded Webinars area, via the Resources tab.