It seems not a week goes by that we don’t hear about a data loss incident in the healthcare industry, be it a provider or payer. Despite the regular headlines, the number of data breaches in the healthcare industry is on the rise. Healthcare IT News reports that more than 6 million people have been affected by breaches of protected health information since the HITECH Act breach notification went into effect. And in 2010, the Identify Theft Resource Center (ITRC) recorded 160 data breaches in the health/medical category—that’s more than double the 2009 total.

What’s more, data breaches in healthcare cost $301 per record, which is $87 more per record than the average. For more stats on the cost of a data breach, check out the Ponemon Institute’s U.S. Cost of a Data Breach study.

One of the major changes introduced by version 2.0 of the PCI DSS is that responsibility for determining and documenting the scope for PCI DSS has shifted from the Qualified Security Assessor (QSA) to the entity (merchant, service provider, acquirer, and issuer). Specifically, the PCI DSS states that “At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope.” The resulting scope may include the entity’s and third-party’s system components, as well as those that may not store, process or transmit cardholder data but could impact the security of the cardholder data environment. If an annual onsite assessment by a QSA is required, he or she is now responsible for reviewing the entity’s scope. Since this requirement appears before the traditional twelve requirements of the PCI DSS it has been referred to somewhat tongue-in-cheek as “Requirement 0.”

Most privacy advocates and people in the data protection community believe that data breach costs will start coming down eventually because consumers will become somewhat immune to data breach news. The idea is that data breach notifications will become so commonplace that customers just won’t care anymore.

But, that hasn’t happened yet. The latest U.S. Cost of a Data Breach report (PDF), which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.

It’s not only direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn. This year’s study showed some very interesting results. In my view, there are a few standout trends.

Next week, Symantec will announce the results of the 2010 Annual Study: U.S. Cost of a Data Breach from the Ponemon Institute, which examines trends in costs and causes of data breaches, as well as best practices to avoid them. One aspect of this research examines the major causes of data breaches.

But, before we announce the official results, we want to hear from you.

Tell us what you think.

 Loading ...