Healthcare data breaches are among the most costly of any industry, and phishing attacks are the number one cause.
Security technologies, while essential, are not enough to mitigate the threat posed by phishing. Over 90 percent of data breaches contain a phishing component, and the average cost to remediate a data breach is $3.86 million.
However, the silver lining is that with an effective security awareness training program and by responding to user reported threats, these incidents will become significantly less prevalent. For this reason, it is critical that employees are prepared to identify and report phishing emails when they are missed by filtering technologies.
The Cost of Data Breaches
| Recent Healthcare Data Breach | Records Stolen | Estimated Cost |
| Anthem Blue Cross | 78.8 Million | $23.3 Billion |
| Premera Blue Cross | 11 Million | $2.8 Billion |
| Banner Health | 3.62 Million | $9.3 Million |
Data Breach Risk and Phishing
Based on Phishlabs' analysis, the average phishing susceptibility rate of healthcare organizations is approximately 30 percent. That means for every 100 malicious emails received by employees, 30 will result in an opened link/attachment or similarly undesirable action.
| Before Training | After Training | |
| Susceptibility Rate | 30% | 5% |
| Malicious Emails in User Inboxes (Daily) | 124 | 124 |
| Security Incidents (Daily) | 37 | 6 |
| Security Incident (Annually) | 13,305 | 2,190 |
In-House vs. Managed Service
The proof is in the pudding. Security awareness training results show that employees drastically improve their ability to identify and report malicious emails. Due to shortcomings from network technology, it's not enough that users are able to simple identify and ignore a phish, they must also take action and report the suspicious content, too.
Reported phishing emails are instrumental in the prevention and early identification of breaches. However, in-house security teams are typically unequipped to respond promptly to reported emails due to time and resource constraints. Based on the numbers below, using a partner to offset these gap areas will reduce incidents by as much as 80 percent.
| Phishing Threat Analysis Provisions (3-year cost estimate) |
In-house 8 am - 5 pm | In-house 24-7 | PhishLabs |
| Est. Reported Emails (Annually) | 27,000 | 27,000 | 27,000 |
|
Analysis and Response Time |
30+ minutes/email + backlog | 30+ minutes/email + backlog | Near Real-time Response* |
| Minimum FTEs required by United States Health Systems |
One Manager |
One Manager |
None |
| 3-Year Cost | $900,000 | $1.2 Million | $315,000 |
*10 min median response time to confirm an email as malicious and take action to deliver IOCs and other actionable intelligence
**Managers est. $200,000/year, junior analysts est. $100,000/year (inc. salary, bonus, benefits, training, etc.)
PhishLabs offers a fully managed, customized anti-phishing training solution and a team of experts to monitor, analyze, and help mitigate employee-reported emails 24/7/365. Partnering with Phishlabs offers healthcare organizations a way to drastically reduce cyber incidents without overstretching internal security resources.
Attending HIMSS19? Join our presentation, The Phishing Incident Response Playbook. Most organizations understand the threat posed by phishing and have developed some form of anti-phishing program. However, many do not have resources and processes in place to quickly analyze and respond to all messages reported by users. Join this session to learn how to uncover, analyze, and contain phishing incidents. You can find us on Tuesday, February 12, 10:15 am in the Cybersecurity Command Center (Theater B).