Breaches: Assessing the Economic ImpactStudy Estimates the Cost of Incidents
What's the economic impact of information breaches? The Ponemon Institute, a research organization, makes an educated guess that the impact averages more than $2.2 million every two years for healthcare organizations.
But how did the institute come up with that figure? Researchers extrapolated it from the results of a small survey. Ponemon conducted detailed interviews with executives at 72 healthcare organizations that opted into the institute's second annual benchmark study, sponsored by ID Experts. Ponemon used its proprietary database of 481 organizations to reach out to potential participants.
More than half of organizations surveyed say they have little or no confidence that their organization could detect all patient data loss or theft.
In the interviews, executives were asked to describe the economic impact of data breach incidents experienced by their organization over the past two years, choosing from eight ranges. The most common answer, selected by 26 percent, was $200,001 to $500,000. Another 22 percent selected $1 million to $10 million. Using "an extrapolation method," researchers estimate that the average two-year cost per organization is $2.25 million.
Whether you buy into that figure or not, it's clear that the economic impact of breaches is substantial. And this survey, like many others, shows that not enough is being done to detect and prevent breach incidents. For example, more than half of organizations surveyed say they have little or no confidence that their organization could detect all patient data loss or theft.
Breach Survey Results
Here are other highlights from the study:
- On average, organizations surveyed have had four data breach incidents in the past two years, up from three in last year's study.
- The average number of lost or stolen records per breach is 2,575, up from 1,769 in the previous study.
- The top three causes for a data breach are lost or stolen computing devices, third-party mistakes and unintentional employee action.
- Insufficient budgets and inadequate risk assessments are cited as the two greatest breach prevention weaknesses.
- Some 81 percent of those surveyed use mobile devices to collect, store or transmit patient information, but 49 percent say they're doing nothing to protect these devices.