Cost of a Breach: Forensics & Notification

1
575
Cost of a Breach: Forensics & NotificationrobertBy Robert Lord
Co-Founder and CEO, Protenus 

Continuing our Cost of a Breach series that examines and breaks down the cost of a hospital data breach, this post will take a closer look at the first two steps a hospital or healthcare institution must take after a data breach has occurred: forensics and notification. In the aftermath of a data breach, the first thing a healthcare organization must do is determine what electronic health records (EHRs) were illegitimately accessed and who accessed them; this process is known as data forensics. Once the scope of the breach is known, an institution must then notify any affected patients and provide them with specific support services.

Forensic investigations are expensive and time-consuming, but HHS has put strict deadlines on how long healthcare institutions can wait before notifying affected patients. Thus, it is crucial for those institutions to be able to conduct an accurate forensic investigation as quickly as possible so they can create a complete picture of the incident and notify only those patients whose records were actually breached.

Forensics – Expensive and Time Consuming

Put simply, forensics is the process of determining what happened during a breach. A forensic investigation looks at what data was breached, who obtained the data, and whether that data was actually acquired or viewed. This information is then turned into a report that concludes whether a breach occurred or not, as well as which records were affected. Thus, forensic analysts require a large amount of data to conduct a proper investigation. They need a log of every access user in order to determine who accessed the records illegitimately. They will also need to examine the records themselves so they can determine if the records were actually breached. Oftentimes, this means bringing in outside experts to help an organization put together the forensic report.

Given all the data forensic investigators require, it should come as no surprise that these investigations are time-consuming and costly, and the larger the breach, the longer and more expensive it becomes. The Ponemon Institute estimates that a forensic investigation will cost a healthcare institution approximately $610,000. Breaking it down even further, Ponemon found that, in 2016, 15% of the total cost of a hospital data breach was spent on forensics, almost double what it was in 2007 (8%). Moreover, Ponemon estimates that an average breach costs a healthcare institution $402 per record, so a hospital will spend approximately $60 per record on forensics alone. Nevertheless, as we will discuss in more detail below, there is a way for healthcare organizations to reduce this cost, since the more information a hospital has on hand about the breach, the faster and more accurate its forensic investigation will be.

Notification – A Shorter Process But Just as Costly

Unfortunately, institutions do not always have time to conduct a thorough investigation because, once a breach has occurred, that organization must then notify any affected patients and often provide services to those patients, such as identity theft monitoring. HIPAA requires that all affected patients be notified within 60 days of a breach. Depending on the situation, the institution might also need to set up toll-free numbers for people to call for more information regarding the breach. Finally, if the breach affected more than 500 people, the institution must also notify HHS and the local media. Ponemon estimates that notification will cost an institution approximately $560,000, but the cost can grow rapidly depending on the size of the breach. Anthem Inc. experienced a massive data breach in February 2015 that affected almost 80 million patients. It cost Anthem $40 million just to pay for the first-class mail to notify patients that their records had been stolen. In the months following the breach, the media reported that Anthem would spend more than $100 million on notifying affected patients and providing free identity theft monitoring. This example may be an extreme one, but it illustrates how the costs of notification can quickly add up when a large number of records are affected.

Forensics & Notification – A Strained Relationship

There is a close yet strained relationship between forensics and notification. A forensic investigation tends to be a lengthy process, but HIPAA requires a healthcare institution to notify patients of a breach within 60 days and many states have their own regulations that greatly shorten this timeline. As a result, institutions often feel pressure to meet notification deadlines and thus rush through the forensic investigation. Because an institution may not have the complete picture, it can end up preemptively notifying patients without having accurate information as to which records were actually breached. According to one report that examined data breaches across multiple industries, businesses that notified customers before a comprehensive investigation was complete increased the total cost of a breach by $15 per record. Thus, institutions must be able to conduct a thorough forensic investigation quickly so that they can notify only those patients whose records were breached, while still meeting all notification deadlines.

Proactive Patient Privacy Analytics is Crucial

Institutions that have the ability to identify and contain threats quickly and efficiently greatly reduce the cost of a hospital data breach. A patient privacy program can accurately identify real threats and elevate them to security officials that will work to contain a threat before it does severe damage. Moreover, forensic investigators will have access to all the data they need to quickly determine which records were breached and how they were breached. This, in turn, gives healthcare institutions a complete picture of the incident so they can notify the affected patients and take the proper steps to protect them.

Forensics and notification are two important parts of an institution’s response in the wake of a data breach, and a proactive privacy monitoring platform greatly reduces their cost, thereby reducing the cost of the data breach as a whole.

Be sure to check out the next post in our Cost of Breach series, detailing how lawsuits impact healthcare organizations affected by a data breach.

[clickToTweet tweet=”Cost of a Breach: Forensics & Notification” quote=”Cost of a Breach: Forensics & Notification” theme=”style3″]

1 COMMENT

  1. Thank you for including the hyperlink on the text “60 days of a breach”.

    A common misconception I am running into is for whatever reasons, people within a CE once notified of a possible breach are making the incorrect assumption that the 60 day clock does not begin until after their risk assessment (LoProCo) has concluded whether or not a breach occurred.

    Postings like yours can help people know this is not the case and possibly avoid more issues than they are already dealing with by not completing the notifications in a timely manner with respect to the 60 day timeframe.

Comments are closed.