Breach reporting costs in 2017 are proving to be something you should understand before a crisis, not after the crisis hits. In June, the NY State Attorney General announced a settlement with CoPilot, a healthcare services company that illegally deferred notice of breach of more than 220,000 patient records. Another annual report was also just released the latest numbers: 2017 Cost of a Data Breach Study from Ponemon Institute and IBM. Today, we are going to discuss how the two of them can help us all make better decisions where potential breaches of PHI are concerned.
Breach reporting costs and decisions for 2017
The NY CoPilot Case
CoPilot’s website—www.monovischcp.com—is used by physicians to help determine whether insurance coverage is available for certain medications. On October 26, 2015, an unauthorized individual gained access to confidential patient reimbursement data of CoPilot via the website administration interface, PHPMyAdmin. The intruder downloaded reimbursement-related records for 221,178 patients—including their name, gender, date of birth, address, phone number, and medical insurance card information. Of the patients affected, 25,561 were residents of New York; 11,372 of the New York patients’ records also included social security numbers.
In mid-February 2016, the Federal Bureau of Investigation opened an investigation at CoPilot’s request, focusing on a former CoPilot employee whom CoPilot believed was the intruder.
Patients weren’t notified until Jan 2017
From Oct 2016 until Jan 2017 to do a notification sure is more than 60 days![13:35] So far, CoPilot is paying the state of NY $130,000. Not sure about OCR or what the CEs may say to them about dealing with this issue. This is probably not the end of the case for CoPilot even if we don’t hear more about it.
2017 Cost of a Data Breach Study from Ponemon Institute and IBM
High points of the data breach study report.
The average breach reporting costs per record in health care rose from $355 in 2016 to $380 for 2017. The four-year average is $369 per record. No matter what number you choose if you have even 1,000 records it is a pretty big number. Image the sites that have hundreds of thousands of records to address.
The industry closest to healthcare in the cost report for 2017 was the financial sector the came in a $245 which is up $23 per record but even that number is too pricey for my blood! It is certainly a long way from $380 per record. Interestingly, the overall cost of a data breach dropped from $158 in 2016 to $141 in 2017.
The most expensive type of attack across the board involves a malicious insider or other types of criminal attacks. Unfortunately, other study reports almost always agree that the highest chance of some sort of breach happening to any business will involve a malicious insider or criminal attack.
Increased costs factors
The report included many details including factors that seemed to increase your breach reporting costs. Those factors range from the complexity of IT to having a third-party vendor involved in the breach case.
Some complexity in any IT security architecture is expected to deal with the many threats facing organizations. However, too much complexity can impact the ability to respond to data breaches. Another interesting factor that can increase costs is listed as the rush to notify victims without understanding the scope of the breach.
The report also lists compliance failures (+$11) and the engagement of consultants all as factors that increase post data breach costs. Expenditures to resolve lawsuits also increase the post data breach costs. Third-party vendors or contractors involved in a breach also is reported to increases the cost per record by $17 each.
Those are all ways to make breach reporting costs go up. Based on this information, it pays to stay compliant and take your time in making decisions with proper information. Of course, you definitely need to keep your IT and your vendors from getting out of control
Ways to reduce the costs
What is most important factors are how to reduce data breach reporting costs. The report covers those points, as well.
The faster the data breach can be identified and contained, the lower the costs. 191 days for a statistical mean time to find, 66 days to mitigate is what most of the breaches in the study were dealing with here. If you can’t respond at least that well, you will have higher costs. Responding faster reduces those costs. Simply having a prepared Incident
Simply having a prepared Incident Response Team and Incident Response Plan has the most dramatic effect on the costs per record. Improve you standing by $19 per record by being prepared. Add extensive use of encryption and you can take another $16 per record off the total. Finally, add in employee training (-$13) and a business continuity plan (-$11) and you can start to see a substantial, at least statistically, dent in that $380 number. You drop $59 to $321 per record. While that isn’t a huge difference when still looking at the $141 number, it is still over 15% drop.
A much more indirect number to address is the costs estimated in lost business and reputational damage. The report did make it clear that providing victims with breach identity protection is more successful than anything, short of no breach, in reducing the loss of customers. The loss of customers is a significant factor in breach reporting costs that aren’t obvious to many people.
Having knowledgeable people on your team that understands your business and the complexities a data breach brings with it, is another mitigating factor. That probably goes hand in hand with having a solid response and continuity plan in place as well.
Of course, they certainly didn’t leave out the value of having proper cyber security and breach insurance in place to manage some of the costs that will come no matter what you do.
So, to reduce your exposures focus on doing the things you should be doing to secure your business and prepare for all of that to fail you in the end.
When you have a breach
There are a few things different between a BA and CE. It is important to remember that the ultimate responsibility for patient notification lies with the CE that was the initial contact with the patient.
BA breach issues
What does your BAA commit for you to do? Remember to follow the most stringent agreement you have signed when you create your response plans and set your policies and procedures.
Your CEs do NOT want to learn about a breach that you have experienced in the news or second handed. Keep in mind you could have many CEs to deal with so your plan should include someone who’s only job is to deal with them.
Know what to do before it happens don’t try to figure it out as you go. Also, have a plan that addresses a breach of your own vs one involving one of your vendors. Your chores will be different between the two. Have a plan to identify patients involved while forensics takes place. Do the assessment following the questions you should be able to answer honestly and it will make the decision easier.
Your entire process will need to include the ultimate decision – do your notify or not. Do the incident assessment following the questions that are part of the 4-factor assessment. You should be able to answer, honestly, and it will make the decision easier.
Even if your business isn’t one in healthcare you need to understand what data you capture and store. If you have 1000 identities on file and get hit by a data breach you could still face $141,000 in potential costs. For healthcare businesses, we should all be aware of the value of the data we have on file. There are reasons we need to protect that data well beyond worrying about HIPAA compliance and regulations. The damage to your patients and your business can be overwhelming. Have a plan, understand your risks and get insured.