Report: Healthcare Organizations Spend $12.5 Million a Year on Cybersecurity | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Healthcare Organizations Spend $12.5 Million a Year on Cybersecurity

October 4, 2017
by Heather Landi
| Reprints

Cybercrime is costing businesses, on average, $11.7 million a year, a 23 percent increase from $9.5 million in cybercrime-related spending last year. The accelerating cost of cybercrime over the past five years also means that the cost of cybercrime has increased 62 percent since 2013, according to the Ponemon Institute’s Cost of Cybercrime Study.

For the report, Ponemon Institute surveyed 2,182 security and IT professionals from 254 organizations about cybercrime spending, including costs associated with IT infrastructure, economic espionage, business disruption, ex-filtration of intellectual property and revenue losses. The Ponemon Institute developed the report with Accenture, and the report aims to quantify the economic impact of cyber attacks and observe cost trends over time.

“Whether managing incidents themselves or spending to recover from the disruption to the business and customers, organizations are investing on an unprecedented scale—but current spending priorities show that much of this is misdirected toward security capabilities that fail to deliver the greatest efficiency and effectiveness,” the report authors wrote.

Looking at 15 different industry sectors, the study found that financial services has the highest cost of cybercrime, at $18.3 million, on average, a year, followed by utilities and energy, costing $17.2 million a year. For organizations in the healthcare sector, the average annualized cost of cybercrime is $12.5 million a year, making healthcare the fifth most costly industry.

With cyber attacks on the rise, successful breaches per company each year has risen more than 27 percent, from an average of 102 to 130. Ransomware attacks alone have doubled in frequency, from 13 percent to 27 percent, with incidents like WannaCry and Petya affecting thousands of targets and disrupting public services and large corporations across the world, the study authors wrote.

For the report, researchers estimated average cost of cybercrime for seven countries, involving 254 separate companies, for the past three years. Companies in the United States report the highest total average cost at $21 million and Australia reports the lowest total average cost at $5.41 million.

Among the organizations the Ponemon Institute studied, information loss represents the largest cost component with a rise from 35 percent in 2015 to 43 percent in 2017.

To better understand the effectiveness of investment decisions, the study analyzed nine security technologies across two dimensions: the percentage spending level between them and their value in terms of cost-savings to the business. The findings illustrate that many organizations may be spending too much on the wrong technologies.

The report found that security intelligence systems (67 percent) and advanced identity and access governance (63 percent) are the top two most widely deployed enabling security technologies across the enterprise. These technologies also deliver the highest positive value gap with organizational cost savings of $2.8 million and $2.4 million respectively.

“As the threat landscape constantly evolves, these investments should be monitored closely so that spend is at an appropriate level and maintains effective outcomes,” the report authors wrote.

Aside from systems and governance, the report found that other investments show a lack of balance. Of the nine security technologies evaluated, the highest percentage spend was on advanced perimeter controls. Yet, the cost savings associated with technologies in this area were only fifth in the overall ranking with a negative value gap of minus 4. “Clearly, an opportunity exists here to assess spending levels and potentially reallocate investments to higher-value security technologies,” the report authors wrote.

The report authors also contend that the foundation of a strong and effective security program is to identify and “harden” the higher-value assets. “These are the “crown jewels” of a business—the assets most critical to operations, subject to the most stringent regulatory penalties, and the source of important trade secrets and market differentiation. Hardening these assets makes it as difficult and costly as possible for adversaries to achieve their goals, and limits the damage they can cause if they do obtain access,” the report authors wrote.

The report also recommends that organizations build cybersecurity on a strong foundation of the “brilliant basics,” such as security intelligence and advanced access management; undertake extreme pressure testing to identify vulnerabilities more rigorously; and invest in breakthrough technologies.

 

 

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Ohio Man Charged for Allegedly Defrauding Cleveland Clinic out of $2.8M

A man in Westlake, Ohio has been indicted in federal court for his role in a conspiracy to defraud the Cleveland Clinic out of at least $2.8 million.

Survey: Most Providers Say Interoperability by 2020 Not Attainable with Current Federal Policies

The majority of healthcare providers (71 percent) believe that current federal polices, committees and regulations are not sufficient to help the country attain meaningful health IT interoperability by 2020.

House Committee Presses Nuance Executives on NotPetya Attack

he U.S. House Energy and Commerce Committee is requesting that Nuance Communications executives provide more information about the malware incident, called NotPetya, that impacted the company, along with multinational companies in 65 countries, back in June.

Regenstrief Researchers to Study Impact of HIE on Emergency Care

Scientists at the Indianapolis-based Regenstrief Institute are conducting what they say is the first study of health information exchange (HIE) use over multiple years to evaluate whether it improves patient outcomes in emergency departments.

Report: Healthcare Organizations Struggle with Human Error in Securing PHI

In the first nine months of 2017, unintended disclosure accounted for 41 percent of healthcare data breach incidents, according to a report from specialist insurer Beazley.

Three More Providers Receive 2017 HIMSS Davies Awards

Three patient care organizations have received the 2017 global Healthcare Information and Management Systems Society (HIMSS) Enterprise Nicholas E. Davies Award of Excellence for healthcare technology innovations that improve patient outcomes.