You have just implementing a new electronic health records (EHR) system, congratulations!  You probably spent anywhere from $75,000 – $500,000+ on hardware, software, licenses,and implementation labor.
Hopefully you qualify for EHR meaningful use incentive funds to offset some of those expenses. While you are looking to stop spending money and to start recouping some of the expense, I am going to tell you 3 additional products and services that you must consider.

The 3 products and services are:

1. Offsite data backup
2. HIPAA Security
3. Disaster Recovery

I realize those 3 items are not sexy and will not help increase your revenue. I think that is one of the reasons that many medical practices don’t sign up for these services. The 3 services are about protecting your EHR, your data, your patient’s information and protecting your practice.

Offsite Data Backup

“Why do I need offsite data backup when we are backing up to a tape drive?”

I can’t tell you how many times I have had this conversation. Backing up your data nightly to a tape drive is a good practice but unfortunately backup tapes are not completely reliable. Every time we have to restore a file, database or other data from a backup tape, I hold my breath and pray that the data is on the tape and we can retrieve it successfully.

If you are backing up to tape the responsibility to switch tapes on a daily basis is usually assigned to an individual in the practice. From experience we have seen that people forget to switch tapes (trust me this happens more then you can imagine). In addition, tapes are used over and over and eventually they lose their ability to successfully read and write data. Hence the praying comment that when we need the data, the tape will not be at the point where we can not successfully retrieve the data.

Offsite data backup is a very straightforward process and very similar to backing data up to tape. On a nightly basis the data is backed up but instead of being backed up to tape it is backed up to a server in a vendor’s data center. Here is how it works.

1. On the system that you are backing up, there is a backup agent (software program) that starts to backup the data.
2. The backup agent makes a secure encrypted connection via the Internet to a server(s) at a vendor’s data center.
3. The data is copied to the servers and is stored on the vendor’s server is a secure encrypted format.

As you can see it is critical to have an Internet connection in order to perform the offsite backup.  The offsite data backup is scheduled and runs automatically so there is no human intervention required. This eliminates the issue with someone forgetting to change the backup tape.

My recommendation to most practices is to use offsite data backup as a supplemental service in addition to doing nightly tape backups.  If you do both then you have your data in 2 different places and you increase your chances that the data will be available if and when you need it.

On an average, offsite data backup costs around $2/GB.  So if you are backing up your EHR and you have 20GB of data it will cost you around $40/mo. I think that is a very reasonable amount to help ensure that your data is protected. To help convince you that offsite backup is worth the additional expense let’s look at a scenario that I have seen happen multiple times.

There is a really bad storm with heavy rain and lightning. The storm knocks out power to your office and although your EHR server is on a uninterrupted power supply (UPS) the server does not shut down cleanly (immediately loses power) and in the process it corrupts the EHR database. When power is eventually restored and the server comes back online the EHR program generates errors stating that it can not read the EHR database (it is corrupt). Imagine that you have been using the EHR for 1 month and every patient that you have seen is in your EHR (go ahead and imagine you have been using it for over a year and the amount of records would be even scarier). Your IT company comes in to help restore the EHR database from tape and get you back up and running.  When the IT company inserts the backup tape they can not locate the EHR database.   It turns out that the person who was responsible for changing the tape forgot to do it the last 2 evenings. They are able to restore the database from 2 days ago but all the data that was entered for the past 2 days is lost.  Think about having to recreate that data. You are using an EHR so do you have notes on each patient? Probably not. The amount of time and effort you and your staff will have to use to recover from the lost data makes the $40 look cheap.

HIPAA Security

The second service I urge you to consider is HIPAA Security. You are using an EHR and all of your patient information moving forward will be electronically stored. You may also have interfaces with vendors for electronic lab results, digital x-rays, ultrasounds, etc. For each patient there is a lot of electronic information that has to be protected.

Most EHR vendors do not address HIPAA security when they are training employees on the new EHR. If they do it is not in depth and there is a good chance that your employees will not understand what is required by HIPAA to protect patient information.

HIPAA security is about protecting patient data in electronic format. I am recommending you sign up for a HIPAA security service not only to comply with the HIPAA regulations but to ensure that your entire staff is educated on what exactly is required to protect patient data and to understand the best practices for protecting data. More importantly HIPAA security is a defensive measure to help protect your patients and your practice against a data breach. A lost laptop or USB drive with patient information could have serious financial impact on an organization.  Imagine a data breach that costs your practice $1,500,000. If you think that number too high consider the regulatory fines, patient breach notification expenses, lost revenue from patients leaving the practice, IT related expenses to re-mediate the breach, etc.  Even if the expense is half of that at $750,000 it can have a significant impact to an organization. And if you are thinking that your general liability insurance policy will cover most of those expenses you should check your coverage. Most policies do not cover HIPAA related expenses (although there are supplemental insurance policies that do cover HIPAA and cyber expenses).

There are many HIPAA security services on the market but on a whole you should look to accomplish the following:

1. Implement policies and procedures to ensure that patient information is properly protected
2. Perform a risk assessment to understand where you are at risk in protecting patient information and what additional security measures you should implement to better protect the information.
3. Train your entire staff on exactly what is HIPAA security, what they should be doing to protect patient data and what they should not be doing that could put patient data at risk.

HIPAA security will range in costs but for some real numbers this service will cost $1,750 to provide the 3 items above. (Full disclosure, HIPAA Secure Now! is a service of Entegration, Inc.).

As with the justification for offsite data backup, spending $1,750 to help protected you from fines and expenses that could be up to 100 times more expensive seems like a good investment.

Disaster Recovery

The third and final service I will urge you to consider is disaster recovery for your EHR and network.

I will start off by acknowledging that the odds of a disaster are slim but yet we have seen the affects of earthquakes and tornadoes in the past few months. And disasters are not only confined to natural disasters.  Fires and floods occur all the time.  Broken water pipes and sprinkler systems can destroy servers and computing equipment.

What exactly is disaster recovery?  Simply stated it is the ability to continue to utilize your applications in the event that your primary servers, network and applications are either destroyed or made unavailable by some event. Disaster recovery is ensuring that you can run your EHR on another server and access that server in the event of a disaster.

I wrote a detailed blog article on cheap disaster recovery which you should read.  But from a high level view, disaster recovery is:

1. Ensuring that you have another server(s) in another physical location that you can use in the event your primary server is unavailable
2. Data needs to be copied and kept up to date on the server(s) that you will use for disaster recovery
3. A method of accessing the disaster recovery server must be established
4. A detailed procedure must be in place that defines exactly what is needed to utilize the disaster recovery server(s) and what your employees need to do to operate in disaster recovery mode.

If you go back to the blog article that I wrote on cloud based disaster recovery the prices range from around $100/month/server.  So if you need to ensure that have your EHR server and your Domain Controller available in the event of a disaster then it will cost you around $200/mo.

Again let me define a scenario that helps justify the expense.

Let’s assume a water pipe bursts in the office above you and overnight hundreds of gallons of water leak onto your servers, destroying them.  Everything else in your office is wet but usable. After a couple of days of clean up you are ready to see patients but you no longer have functional servers and no functional EHR. You can order new servers from Dell or HP but even with overnight shipping there is a chance you will not receive them for 10-14 days.  Can you go without your EHR for that long? With the cloud based disaster recovery you can be up and running in as little as 4 hours. You can even access the EHR if you need to see patients in another practices’ office while you repair your office. Again I argue that $200/month is worth the expense to provide the safety net and flexibility to recover in the event of a disaster.

Summary

The 3 services that I described will protect your medical practice. Each of the services can be considered a safety net and operational insurance to protect you and to avoid events that can have significant financial impact to your organization. Take a step back and think of how much money you just spent on your EHR. The services that I recommend will cost you under $5,000 the first year (and half of that moving forward) and will help protect your investment in your EHR.

I would love to hear your thoughts and help with any questions you may have. Use the comments section below to give feedback.

Almost like the Earth spinning and no one notices it, there is a major shift in health care IT going on. On the surface you can’t miss the chatter.  Talk of stimulus funds, meaningful use requirements, cloud based EMRs, free EMRs, iPads, smart phones and the list goes on. Hundreds and thousands of medical practices ranging from 1-3 employees up to hundreds of employees are in the process of either evaluating or transitioning to electronic medical records.  And as these organizations continue their transition from paper based records to electronic medical records the impact will be felt for years to come.

It is exciting to be a part of something that will have a lasting impact. But at the same time I think that there will be a lot of fatalities in this process. On the surface the migration to electronic medical records seems pretty straightforward.

1. Select an EMR vendor
2. Purchase equipment
3. Install equipment
4. Train staff
5. Start using new EMR

But the reality is it is far from easy. There are hundreds of EMR vendors; some good, some not so good. EMR implementations fail at a very high rate. The complexity of setting up a network to support an EMR is daunting. Integrating servers, network, tablets, smartphones, lab equipment, etc. can be a challenge at best and a disaster at worst.

And if a practice makes it this far there are the concerns with patient records and HIPAA security. These practices that are new to electronic medical records have not been tasked with protecting electronic assets in the past. This skill set in not easily acquired nor is it cheap. Network and data security is not a part-time job and it should not be added onto to someone’s job responsibility especially if they are not IT savvy.

And will these practices understand the risks of implementing technology to support electronic medical records? Will they implement the appropriate data backup solutions and disaster recovery solutions to ensure that a disaster does not cripple their ability to use and access the electronic medical records? Will they understand that most small businesses never recover from a disaster that impacts IT?  Will they make the appropriate investments to ensure that a disaster does not put them out of business?

It is almost like a herd being led into an ambush, some of these organizations will be among the fatalities.  A failed EMR implementation can cost hundreds of thousands of dollars. Not many smaller medical practices can take that financial impact and still survive.  A data breach or serious HIPAA violation can  have a huge financial impact on an organization. An unplanned for disaster can put an organization out of business.

So as the headlines talk of meaningful use stage 2 and 3, Medicare EHR Incentive Programs, Attestation, the next greatest tablet, mobile health apps, and cloud based EMRs remember that the impact to some health care organizations will be fatal. Can the quest for electronic medical records be similar to a herd being led into an ambush? Will we look back and see that 2011-2013 led to a thinning of the herd? Will these fatalities lead to more hospitals and larger organizations consolidating smaller medical practices? Electronic medical records are needed and provide an enormous opportunity for the entire health care system but without proper guidance and support many medical practices will be causalities in the process.

Putting a gun in an inexperienced person’s hands is a very bad idea.  Hand guns can be very safe if safety precautions are taken.  Experienced gun owners take the right steps to ensure that the gun does not cause harm.  Not storing a loaded gun, safety locks and ensuring that guns are stored in a locked gun cabinet are all steps that knowledgeable and experienced gun owners take.

This year many health organizations are implementing EMRs for the first time.  They are going from paper charts and relatively few computers to complex networks, servers, tablets and other computing devices.  These organizations are used to protecting patient’s information by ensuring that charts are not left where unauthorized persons can read them, storing charts in locked cabinets and other general precautions to protect paper based records.

The switch to electronic medical records is a new adventure for some of these organizations.  They probably spent months evaluating, planning and implementing their new EMR.  The first weeks and months of an EMR implementation is usually a very hallowing experience.  New systems, new workflows, hardware and software issues all put a lot of stress and strain on an organization’s employees.  Doctors, nurses and the entire staff usually struggle in the beginning of an implementation.  In addition, the total amount of training that the EMR vendor provides is on an average 1-2 hours per employee (and that number may be high in some cases).  The training is usually focused on how to use the new EMR, how to login, how to enter progress notes, how to e-prescribe, etc.  Little or no training is provided on how to protect patients’ information.

The topics of securing the daily tape backup, encrypting USB drives and laptops, ensuring that emails are sent securely, performing a risk assessment and other topics are usually not discussed in the EMR training.  Some may argue that the EMR vendor should address these topics but that is for another discussion.  The reality is that you have an organization that is struggling with learning and using a new EMR and have little or no knowledge on computer and patient data protection.  Is it any wonder why we have so many patient data breaches?

EMRs and electronic data accessed and used by inexperience employees are very dangerous to the organization’s patients.  Just as dangerous as putting guns in an inexperienced person’s hands.

Recently Gawker Media had a security breach that exposed the email and passwords of registered users that left comments on their sites.  Gawker Media runs several sites including Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot.  If you are a registered user of any of these sites it is strongly suggested that you change your password on all websites that you are registered at (i.e. amazon.com, walmart.com, etc.).  Many people use the same password across several or all the sites that they register with. You can check to see if your password has been exposed by going to http://www.didigetgawkered.com/ and putting in your email address.

The Wall Street Journal has an interesting article on the top 50 passwords that people used at the Gawker Media sites.  The passwords are below.

The message here is if you are using any of the passwords in the above list, there is a good chance that someone can easily guess them.

There are two main takeaways from the Gawker Media security breach:

1. Do not use the same email and password across websites.  Each website that you register at should have a unique password.  Said another way, the password you use at Amazon.com should be different than the password you use at Walmart.com.

 

2. Make sure you use complex passwords.  Passwords should have a mix of letters, numbers and special characters.  A good complex password is one that you will remember but someone can not easily guess.  I like to tell my clients that they should pick a sentence and then use the first character of the words that make up the sentence.  For example:  My son Chris is 10 years old – could make a password of: MsCi10y@.  That is a good complex password that mixes upper and lower case letters, numbers and special characters.  It is also pretty easy to remember (assuming you have a son Chris that is 10 years old).

Make sure you are careful in the passwords that you use and make sure that you pass this information along to your employees.  They should be using unique and complex passwords for all the websites AND applications that they use.

USB thumb drives or flash drives should be viewed as a real liability.  Yes they are convenient, yes they make transferring data extremely easy and yes they are cheap. But hidden under all those benefits is the reality that because they are so convenient and cheap it is too easy to put sensitive information on them.  It is too easy to lose them and it is too easy to face a major liability of a patient information data breach if they are lost and not encrypted.

In two recent cases the real liability of these flash drives surfaced.  The Department of Veterans Affairs announced that an employee brought in a personal USB thumb drive and copied information on 240 veterans and beneficiaries.  The drive was not encrypted and it was misplaced.

A VA employee had been using the personal thumb drive to store information on 240 veterans and beneficiaries in violation of VA policy, Baker says. The information included names, Social Security numbers, addresses and health data. Affected veterans are being offered free credit protection because the drive was inappropriately removed from the VA facility, Baker explains.

In another incident involving an unencrypted flash drive:

A psychiatric hospital in Louisville is notifying 24,600 patients about a breach involving the loss of an unencrypted flash drive.

So it is pretty easy to see how these drives can be a liability.   Here are a few thoughts on how to limit your exposure this the liability.

1. Develop a policy that employees are not to use personal USB flash drives.  In the policy state that only USB drives that are purchased by the organization are allowed to be used.  Also state that USB drives are only to be used with prior authorization (state who needs to authorize the use as well).  Write the policy in an email or a Word document and send it to everyone.  Make them sign it and send it back to you.
2. Purchase encrypted USB drives for employee use.  Encrypted USB drives are more money than unencrypted drives but are worth the increased cost. They are also very easy to use and just require a password when accessing the drive to either read or write data.  Encrypted drives can be bought at Amazon, Buy.com or other retailers.  I personally use an encrypted drive from Kanguru Solutions which works great.
3. Use staff meetings to discuss the liability associated with the flash drives.  Remind employees about the policy they signed.  Continue to educate them and to continue to remind them until it is ingrained in them to be fearful of these drives.

If you take the above steps your liability will not go away but it is likely to be reduced significantly.  And once the liability is reduced you can go back to thinking how incredible these little drives are compared to floppy drives that were used in the past.

A study by the Ponemon Institute (registration required) shed some much needed insight into the current state of patient information security.  There is so much valuable information that I urge you to read the full report.  I will try to pull out some of the most interesting pieces and summarize it here.

Protecting patient data is not a priority. Seventy percent of hospitals say that protecting patient data is not a top priority. The majority of responding organizations have less than two staff dedicated to data protection management (67 percent). Most at risk is patient billing information and medical records, which is not being protected. In addition, patients are typically first to detect a significant number of breaches at healthcare organizations (41 percent). This finding suggests that patient data is being unknowingly exposed until the patients themselves detect the breach. Healthcare organizations’ inability to prevent or detect patient data loss is putting patients at greater risk of medical identity theft, financial identity theft and having their personal health facts disclosed.

Federal regulations have not improved the safety of patient records. The passage of the HITECH Act widened the scope of privacy and security protections under HIPAA to provide stronger safeguards for patient data. Despite the intent of these rules, the majority (71 percent) of respondents do not believe these new federal regulations have significantly changed the management practices of patient records.

The average number of lost or stolen records per breach was 1,769. A significant percentage of organizations either did not notify any patients (38 percent) or notified everyone (34 percent) that their information was lost or stolen.

Very few respondents (15 percent) believe the breach had no negative impact on their organizations. Most respondents believe they have suffered brand or reputation diminishment (81 percent) followed by time and productivity loss (80 percent) and loss of patient goodwill (77 percent). The least negative results are lawsuits (23 percent) and poor employee morale (18 percent).

As mentioned above, the most negative result of a data breach is brand or reputation diminishment related to this is the loss of patient goodwill. The potential result is patient churn. According to Bar Chart 16, 29 percent of respondents see the lifetime value between 10,001 to $50,000. The extrapolated average lifetime value of one lost patient (customer) is $107,580.

Ponemon Institute’s 2009 Annual Study: Cost of a Data Breach calculates the abnormal customer/patient churn rate for the healthcare industry as six percent. When this churn rate is applied to the average number of data breach incidents experienced by survey participants over two years (2.4), the average number of lost or stolen records per breach (1,769) and percent that were fully notified (34 percent), the result is 87 patients lost to churn. The loss of 87 patients implies that organizations lose over $9 million to patient churn just from data breach incidents experienced over a two-year period.

Table 1: Attributes that describe the information security environment in healthcare organizations in descending order of confidence.	Very confident & Confident response*
Comply with legal requirements and policies including privacy laws and statutes (i.e., HIPAA)	85%
Enforce corporate policies, including the termination of employees or contractors who pose a serious insider threat	72%
Training and awareness program for all system users	71%
Have standard agreements with business associates that clearly explain the requirements for data protection	66%
Ensure minimal downtime or disruptions to systems resulting from security problems	65%
Conform with leading self-regulatory requirements such as ISO, NIST, HITRUST and others	61%
Prevent or curtail viruses and malware infections	56%
Attract and retain high quality IT security personnel	55%
Perform timely updates for all major security patches	53%
Security program administration is consistently managed	52%
Secure endpoints to the network	51%
Secure patient data in motion	47%
Know where patient information is physically located	47%
Identify system end-users before granting access rights to patient information	45%
Conduct independent audits of the system	45%
Secure patient data at rest	42%
Control all live data used in systems development activities	39%
Prevent or curtail cyber attacks	39%
Prevent or curtail cyber attacks that attempt to acquire patient information	37%
Identify major data breaches involving patient information	32%
Prevent or curtail major data breaches involving patient information	31%
Determine the root causes of major data breaches involving patient information	30%
Protect patient information used by business associates	29%
Limit physical access to data storage devices containing patient information	23%
Demonstrate the economic value or other tangible benefits of the company’s security program	17%
Protect patient information used by outsourcers including cloud computing vendors	10%

There is so much more in the report and I urge you to take a look at it.  But just from the information above you can tell that health organizations have to do MUCH more to protect patient information.

My last post discussed a hybrid strategy for utilizing local and cloud based IT services.  I concluded the post by stating that I didn’t think we were ready for all cloud based IT services.  Let’s fast forward a few years and assume that businesses can run a majority of their IT services in the cloud.  Let’s assume that reliability, security and accessibility have all matured to the point that a total cloud based IT infrastructure is possible.   A key component would be that Internet access will mature to the point that it is as reliable and scalable as other utilities such as electric, natural gas, etc.  High speed Internet access would be ubiquious and reliable no matter whether you are utilizing wired or wireless connections.  Connecting to the cloud would be as reliable as turning on a light switch in a home or office.

What does a total cloud based IT infrastructure look like?  Let’s take some of the typical IT services that businesses utilize today and compare them to what would be offered by competing cloud based services.

IT Services

1. User Authentication – basic ability to log into your network and use those credentials to access other services
2. File Services – ability to access files (documents, spreadsheets, presentations, etc).  Ability to restrict access based on defined user access lists (i.e. only the marketing department can access the marketing network share)
3. Print Services – ability to print to various printers.  Queue multiple print jobs that require the same printer.
4. Email Services
5. Database Services
6. Firewall Services – protection of a network from outside access
7. Anti-virus / Anti-malware Services
8. Line of Business Applications – EMR, ERP, Accounting, etc.
9. Document Creation – ability to create documents, spreadsheets, presentations (i.e. Microsoft Office)
10. Remote Access Services – ability to gain access to other services when you are outside your network (i.e. home, traveling or at another location)

There are many other IT Services that businesses utilize but let’s just limit the conversation to these 10.

At this point I started having trouble wrapping my mind around how a total cloud based network would look like. I decided to take the approach that the network was fundamentally the same as it is today but just moved into the cloud.  I think this is the easiest approach.  Although it is an interesting exercise of trying to figure out how the network of the future would look.  A network that tied together all other cloud based services.  For more details on how it may possibly work, take a look at Dave Winers excellent post.

Let’s take our list of 10 typical IT Services and move them to the cloud

Cloud based IT Services

1. User Authentication – these services would function basically the same except that the servers you authenticate against would be running virtually in the cloud.  Amazon, Rackspace and other companies currently offer these services.  For this mind exercise we are going to assume that you can now take these validated credentials and use them to access other cloud based services.  This would be very similar to how both Google and Microsoft use a single account to access multiple services.
2. File Services – files would be stored on other cloud based services.  Access to the files would still be restricted to user access lists.
3. Print Services – ability to print to various local printers.
4. Email Services – ability to send and receive emails would be another function provided by a cloud based solution.  The solution would include anti-malware, anti-SPAM, email encryption and other services that are now usually added onto existing Email Services.
5. Database Services – SQL Server, Oracle, MySQL databases that would be hosted in the cloud.
6. Firewall Services – protecting a network from outside access will have a much more diminished role.  Local networks would no longer contain data that needed to be protected.  The role of Firewall Services would be much simpler and less complex.
7. Anti-virus / Anti-malware Services – currently these are separate services that are applied to other services such as protecting files, email, etc.  These services would be seamlessly integrated into the other cloud based services and would no longer be a separate function.  Cloud based providers would be responsible for integrating and managing these services.
8. Line of Business Applications – EMR, ERP, Accounting, etc.  Again these services would be provided in the cloud and most likely the individual vendor of the application would provide it as a cloud based service.
9. Document Creation – documents would be created using cloud based utilities such as Google Docs or Microsoft Office Web Apps.
10. Remote Access Services – the concept of Remote Access would totally shift.  EVERYTHING would now be remotely accessible from the cloud.  This would no longer be a separate service.

A typical office would now consist of just low cost workstations, laptops, tablets, thin clients and printers.  There would be no servers and no data stored locally in the office.  There would be no data to be backed up and the cloud providers would be responsible for data backups.  The IT support requirements would be minimal and the network complexity would be drastically reduced.

Companies who’s function is to implement and support the local IT services, would have a greatly diminished role.  With local IT services all moved to the cloud there will no longer be a need for a lot of  local IT support.   Although the functions that today’s IT companies now provide would still be needed.  User accounts will still need to be setup and maintained, printers setup, email accounts setup, etc.  Although these function would not require a lot of technical skill and may be able to be performed by non-technical staff.

A business that moves their IT services into the cloud would no longer have to worry about local IT support.  They would no longer be faced with the constant workstation and server upgrades, software upgrades and the monthly expense of supporting the network. All of these functions would be pushed onto the cloud based providers.  The cloud based providers would now take on these responsibilities and factor the associated expenses into the monthly fee that they charge.

All in all, a cloudy future looks pretty good.  We are not there today but we can make steps in that direction.  Some of the benefits can be realized today.  And as the cloud becomes more reliable, secure and accessible more benefits can be realize in the future.

In a very interesting study by The Ponemon Institute, the costs of data breaches were analyzed.  This is the 5th annual study done by the Institute.  The study showed that companies are spending more money to remediate data breaches. The average cost per compromised record per breach rose from $202 to $204.  The big driver of the cost of a data breach is the lost of customers, customers that switch to another company due to the data breach.  To put that in perspective, if you have a data breach that affects 1,000 patients (records) you are looking at around $204,000 in breach related costs on average.  That is a staggering number!

In addition, breaches from malicious attacks rose to 24% of all attacks.  They also reported for the first time that data-stealing malware caused breaches.  The report that malware is stealing data is very troubling.  This means that some of the spyware and viruses that companies have to deal with are no longer just annoying and disruptive, they are serious issues that may involve stealing of data and potential data breaches.

Another eye opening statistic from the report shows the 36% of all data breaches were due to a lost or stolen laptop or mobile device.  And the cost of a data breach due to a mobile device is more expensive than all other data breaches.  If this isn’t reason to ensure that your laptops are encrypted I don’t know of a better one.

Here are some highlights of the study:

U.S. organizations continue to experience an increased cost of data breaches, which includes activities intended to prevent a loss of customer or consumer trust. This rise in expense occurs despite a decline in major media or press coverage of this topic. Overall cost is not declining despite the perception that data breaches are becoming a more mundane issue. This viewpoint may be tied to stabilizing costs of detection, escalation and notification as well as our first-ever observation of a decrease in lost business. The average organizational cost of a data breach increased nearly 2 percent, from to $6.65 million in our 2008 study to $6.75 million in 2009. The average cost per compromised record per breach rose only $2, from $202 to $204. The most expensive data breach event included in this year’s study cost one organization nearly $31 million to resolve.

Data breaches from malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than those caused by human negligence or IT system glitches. The incidence of malicious attacks rose from 12 percent to 24 percent. In addition, the 2009 cost per compromised record of data breaches involving a malicious or criminal act averaged $215, 40 percent higher than breaches involving a negligent insider ($154) and 30 percent higher than breaches from system glitches ($166). For the first time companies participating in the study reported that data-stealing malware caused their breaches. These findings suggest that organizations must start protecting themselves more proactively from increasingly aggressive malicious outsiders.

Data breach continues to be a very costly event for organizations. The average organizational cost of a data breach increased from to $6.65 million in our 2008 study to $6.75 million in 2009. The most expensive data breach event included in this year’s study cost a company nearly $31 million to resolve. The least expensive total cost of data breach for a company included in our study was $750,000. The magnitude of the breach event ranged from approximately 5,000 to approximately 101,000 lost or stolen records. As in prior years, data breach cost appears to be linearly related to the size or magnitude of the breach event.

Abnormal churn or turnover of customers resulting directly from the data breach incident appears to the main driver for data breach cost. In this year’s study, average abnormal churn rates across all 45 incidents is slightly higher than last year (from 3.6 percent in 2008 to 3.7 percent in 2009), which was measured by the loss of customers who were directly affected by the data breach event (i.e., typically those receiving notification). The industries with the highest churn rate are pharmaceuticals, communications and healthcare (all at 6 percent), followed by financial services and services (both at 5 percent). The industries with the lowest abnormal churn rates are manufacturing, energy and media (all at or below 1 percent), followed by technology and retail (both at 2 percent).

Thirty-six percent of all cases in this year’s study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches concerning lost, missing or stolen laptop computers are more expensive than other incidents. Specifically, in this year’s study the per victim cost for a data breach involving a lost or stolen laptop was $225.

Here are some of the preventative solutions that the report lists:

Preventive Solutions

Especially given the rise in data-stealing malicious attacks, organizations should strongly consider a holistic approach to protecting data wherever it is – at rest, in motion and in use. While manual and policy approaches may come first to mind for many companies, those approaches by themselves are not as effective as a multi-pronged approach that includes automated IT security solutions. Many kinds of automated, cost-effective enterprise data protection solutions are now available to secure data both within an organization and among business partners. Some of the most popular and effective of these technologiescurrently available include:

• Encryption (including whole disk encryption and for mobile devices/smartphones)
• Data loss prevention (DLP) solutions
• Identity and access management solutions
• Endpoint security solutions and other anti-malware tools

Companies should also look for centralized management of IT security solutions so they can automatically enforce IT security best practices throughout their organizations. Such capability also enables enterprises to align information protection with corporate security policies and regulatory or business-partner mandates.