Ponemon Institute Data Breach StudyImplications for ... - ID Experts

Document Sample
Ponemon Institute Data Breach StudyImplications for ... - ID Experts Powered By Docstoc
					                                                                                     CLIENT BRIEF
                                                                                           February, 2010

                             Ponemon Institute Data Breach Study:
                              Implications for Healthcare Providers

             Key findings of Ponemon 2009 Cost of Data Breach Study

The Ponemon Institute recently published its 2009 Annual Study: Cost of a Data Breach;
Understanding Financial Impact, Customer Turnover, and Preventative Solutions. The study is the
fifth in an annual series, and includes several findings that should be instructive to organizations that
are entrusted with personally identifiable information (PII) and protected health information (PHI) of
customers, patients, clients, policyholders and employees.

The study identifies several significant trends that are worth noting.

        Healthcare organizations experience post breach customer
        churn rates which are 62% higher than average                           “Hiring outside IT
        Outside organizations are responsible for 42% of all data               consultants is
                                                                                common and can
        breaches. In the case of healthcare organizations, these are
                                                                                greatly lower data
        typically their HIPAA business associates.                              breach costs. More
                                                                                than 4 out of 10
        More than 82% of the companies surveyed had more than                   participating
        one data breach during 2009 involving 1,000 or more                     organizations
                                                                                engaged outside
        records containing PII or PHI                                           consultants or
                                                                                experts to assist in
        More than 44% of organizations surveyed engaged an                      data breach
        outside consultant to assist them with the management of the            response”
        data breach incident, and found that using an outside expert
        reduced the per victim cost by 26%

The study is available for download at

Implications for Best Practices
These finding have significant impact on best practices that should be adopted by information
security and privacy professionals responsible for managing data breach risks within their

Managing Third-Parties
With 42% of data breach incidents being the result of loss of personal information that occurred at a
third-party organization, it is even more urgent that organizations focus on the data security
technology and processes adopted by their trusted outside vendors, and that business contracts
between the organizations specifically address who will bear the costs of and have responsibility for
data breach incidents. In healthcare, this would imply updating business associate agreements, and
developing mechanisms to evaluate their business associates compliance with HIPAA Security and
Privacy Rules.

Preparation for Breach Response
Because 82% of organizations surveyed had more than one significant data breach during 2009, there
is the implication that despite best efforts, data breach incidents are somewhat inevitable and those
organizations should carefully plan for them, just as they do for fire or natural disasters. Dr. Ponemon
recommends, and ID Experts concurs, that organizations should have a comprehensive incident
response plan in order to be sufficiently prepared for an incident. This careful preparation can result
in lower costs of responding to a data breach.

Use an Experienced Outside Consultant
44% of organizations turned to an outside consultant when dealing with a
data breach incident. Those that did, had significantly lower costs – 26%               “Abnormal churn or
less – associated with their data breach response. This finding is                      turnover of
                                                                                        customers resulting
consistent with the value derived from using a trusted advisor that is                  directly from the
experienced and knowledgeable with data breach remediation best                         data breach
practices as well as the myriad state and federal laws that require                     incident appears to
                                                                                        be the main driver
compliance in data breach notification. Increasingly, organizations are                 for data breach
developing agreements with such outside consultants in advance of an                    cost…the highest
                                                                                        churn rate is in
incident, so that they can “hit the ground running” if and when an                      pharmaceuticals,
incident occurs. In healthcare, this can be even more pressing because of               communications
the regulatory requirement* that they do a formal “risk assessment” when                and healthcare”
any incident is discovered in order to determine whether it represents a
“risk of harm” to their patients.

In Summary
Our goal at ID Experts is to help our clients prevent data breach incidents. But given that such
incidents appear to now be a fact of life for most organizations, it is prudent that we work with our
clients to ensure a comprehensive incident response plan is created and in place in order to avoid the
confusion and uncertainty that often accompanies such events. Additionally, our clients rely on us to
provide customized data breach remediation services that follow best practices and ensure regulatory

* The requirement for an incident “risk assessment” is in the Interim Final Rule provided by the Department of
Health and Human Resources in providing guidance to healthcare organizations for compliance with the Health
Information Technology for Economic and Clinical Health (HITECH) Act passed with the Stimulus Bill in
February, 2009.
About ID Experts®
ID Experts is the leader in comprehensive data breach
solutions that provide the most positive outcomes. The
company has managed hundreds of data breach
incidents, protecting millions of affected individuals, for
leading healthcare organizations, corporations, financial
institutions, universities and government agencies. In
healthcare, the company contributed to relevant
legislation and rules in HITECH and is a corporate
member of HIMSS. The company provides
comprehensive data breach solutions, risk assessment,
forensic investigation, credit and identity monitoring, and
fully-managed victim identity restoration. ID Experts is
actively involved with industry organizations including
ANSI/Identity Theft Prevention and Identity Management
Standards Panel, International Association of Privacy
Professionals, Internet Security Alliance, and the Santa
Fe Group, and authored the Identity Crime Victim's Bill of
Rights. For more information, visit

Contact Us
ID Experts
8625 SW Cascade Avenue
Beaverton, Oregon 97008

p: 503.726.4500
f: 503.726.4527

Shared By: