The saying "Penny wise and pound foolish" was common when I was growing up. It referred to people who purchased the lowest-priced brand, grew to become sorely disappointed with it and later had to pay the price for the higher-quality item they should have initially purchased.
The old adage was rekindled at a recent meeting I had with a vice president of a technology reseller. He spoke about the general lack of funds spent on cybersecurity in the healthcare industry and mentioned a couple of companies with lax security that had been breached.
He said, "They were penny wise and pound foolish."
He was right. The vice president and I both have noticed that many healthcare organizations are doing the minimum they can get by with to claim they have satisfied compliance requirements for HIPAA and PCI DSS, yet they aren’t fulfilling the intent of the requirements: securing patient data. That is not wise.
According to a 2015 Ponemon study, "All healthcare organizations, regardless of size, are at risk for data breach. Ninety-one percent of healthcare organizations had one data breach; 39 percent experienced two to five data breaches; 40 percent had more than five data breaches over the past two years."
The Ponemon Institute’s "2015 Cost of Data Breach Study: Global Analysis" finds that the healthcare industry has the highest per capita data breach cost, $363, more than twice as much as the retail industry’s per capita cost, $165. Of course, healthcare organizations aren’t the only ones that are guilty of not adequately securing customer data. But healthcare organizations should be extra careful about protecting their networks because their industry has the highest rate of attacks. Hackers can earn more than 10 times what they make selling credit card records in the underground cybermarket. There, stolen data – including information on a health insurance card, diagnosis codes, and billing information – is sold to people who create fake insurance cards to obtain medical treatment and prescription drugs, which are often sold to drug users and dealers.
The Global Analysis surveyed 350 companies that had had anywhere from approximately 2,200 to slightly more than 101,000 compromised records. The average global cost of a data breach per lost or stolen record was $154, but for healthcare organizations it was $363.
Ponemon makes the following recommendations to decrease the cost per record:
- Build a strong security posture headed for optimum security to reduce per-record loss cost by $14.14.
- Develop a Computer Security Incident Response Plan to reduce per-record loss cost by $12.77.
- Involve a Business Continuity Management team in your security program to reduce per-record loss cost by $8.98.
- Appoint a CISO (HIPAA requires an appointment of someone to be responsible for security) to reduce per-record loss cost by $6.59.
By conducting all four of the above actions, Ponemon finds that an organization can reduce the average per-record cost by $42.48. Taking all four actions requires an organization to have a strategy to protect information assets, online presence and IT infrastructure. When asked if they had such a strategy, below shows the percentage of respondents who answered "no":
- Strategy for information assets 55%
- Strategy for online presence 58%
- Strategy for IT Infrastructure 62%
So what does it cost to create a long-term security strategy and to implement the aforementioned actions? That depends on how vulnerable a network is. A risk analysis can show potential liabilities related to network vulnerabilities and can quantify the costs to mitigate them.
One thing that is clear. Absent such a strategy and a risk analysis, investments will be made based on subjective knowledge and the lowest cost. That is a classic example of the short term vision that leads to being "penny wise and pound foolish."