Financial Consequences of Cyber Attacks Leading to Data Breaches in Healthcare Sector
Healthcare sector is identified as particularly vulnerable to digital data breaches and damages caused by illegal use of personal and confidential information. Facing such dangerous threat medical entities need to estimate financial consequences of potential cyber attack leading to a breach of patients' data. The paper's aim is to provide an overview of the consequences of digital data breach in healthcare sector and their financial impact - comparing Polish and global perspective. The research method used was analysis and comparison of international literature, reports, case studies, statistics concerning data breaches in healthcare sector as well as new legal regulations applicable in European Union. The results of the research show that estimations of total digital data breach costs vary widely among various reports and analysis. The main reasons are application of different methods of estimation and lack of complete and reliable databases due to insufficient disclosure of cyber incidents. In addition, the most important conclusion of the paper is that there is an urgent need to conduct research concerning probable data breach costs in Polish healthcare sector, since studies pursued by renowned organisations have not covered Poland so far.(original abstract)
- Accenture (2015). Insight Driven Health. Digital Health, https://www.accenture.com/_acnmedia/PDF-54/Accenture-Health-Cybersecurity-300-Billion-at-Risk.pdf (accessed: 05.12.2017).
- Act on Information System in the Healthcare Sector of 28th April 2011, Dz.U. 2011 nr 113 poz. 657 z późn. zm.
- Deloitte (2016). Beneath the surface of a cyberattack, A deeper look at business impacts, http://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/usrisk-beneath-the-surface-of-a-cyber-attack.pdf (accessed: 24.10.2017).
- Directive 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.
- ENISA (2015). Security and Resilience in eHealth. Security Challenges and Risks, https://www.enisa.europa.eu/publications/security-and-resilience-in-ehealth-infrastructures-and services (accessed: 06.11.2017).
- ENISA (2016). Smart Hospitals. Security and Resilience for Smart Health Service and Infrastructures, http://www.enisa.europa.eu/publications/cyber-security-andresilience-for-smart-hospitals (accessed: 06.11.2017).
- Fuentes, M. R. (2017). Cybercrime and Other Threats Faced by the Healthcare Industry, http://documents.trendmicro.com/assets/wp/wp-cybercrime-and-other-threatsfaced-by-the-healthcare-industry.pdf (accessed: 06.11.2017).
- GUS (2017), Health and Health Care in 2016, http://stat.gov.pl/download/gfx/portalinformacyjny/pl/defaultaktualnosci/5513/1/7/1/zdrowie_i_ochrona_zdrowia_w_2016.pdf (accessed: 17.01.2018).
- Health Care Industry Cybersecurity Task Force (2017). Report on Improving Cybersecurity in the Health Care Industry, http://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf (accessed: 06.11.2017).
- Lloyd's (2017). Closing the gap. Insuring your business against evolving cyber threats, http://www.lloyds.com/lloyds/about-us/what-do-we-insure/what-lloyds-insures/cyber/cyber-risk-insight/closing-the-gap (accessed: 24.10.2017).
- Luna, R., Rhine, E., Myhra, M., Sullivan, R. & Kruse, C. S. (2016). Cyber threats to health information systems: A systematic review. Technology and Health Care, 24(1), 1-9. http://doi.org/10.3233/THC-151102.
- Mansfield-Devine, S. (2017). Leaks and ransoms - the key threats to healthcare organisations, Network Security, 2017(6), 14-19. http://doi.org/10.1016/S1353-4858(17)30062-4.
- National Cybersecurity System Act (draft), http://www.gov.pl/documents/31305/0/projekt+ustawy+z+za cznikiem+-+do+uzgodnie + 1 .odt/d330ca24-b76f-f772-5e42-317dbb798cbd (accessed: 28.11.2017).
- NBP (2018). Table No. 001/A/NBP/2018 from 2018-01-02, http://www.nbp.pl/home.aspx?navid=archa&c=/ascx/tabarch.ascx&n=a001z180102 (accessed: 02.01.2018).
- NetDiligence (2016). 2016 Cyber Claims Study, http://netdiligence.com/wp-content/uploads/2016/10/P02_NetDiligence-2016-Cyber-Claims-Study-ONLINE.pdf (accessed: 06.11.2017).
- Ponemon Institute (2016). Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, http://www.ponemon.org/local/upload/file/Sixth Annual Patient Privacy Data Security Report FINAL 6.pdf (accessed: 06.11.2017).
- Ponemon Institute (2017). 2017 Cost of Data Breach Study. Global Overview, http://www.ibm.com/security/data-breach (accessed: 06.11.2017).
- Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Romanosky, S. (2016). Examining the costs and causes of cyber incidents, Journal of Cybersecurity, 2(2), 121-135. http://doi.org/10.1093/cybsec/tyw001.
- SecurityScorecard (2016). 2016 Annual Healthcare Industry Cybersecurity Report, http://cdn2.hubspot.net/hubfs/533449/SecurityScorecard_2016_Healthcare_Report_Final.pdf (accessed: 15.11.2017).
- Zurich Insurance Company (2014). The good, the bad and the careless. An overview of corporate cyber risk, https://www.zurich.com/en/knowledge/articles/2014/12/the-good-the-bad-and-the-careless-an-overview-of-corporate-cyber-risk (accessed: 14.11.2017).