Proactive Cybersecurity Reduces the Cost of a Breach
From a bird’s eye view, the cumulative cost of cyber-crime is estimated to reach 9.2 Trillion USD globally in 2024. According to the 2023 IBM X-Force Cost of a Data Breach Report, a single breach imposes an average of 4.45M USD of financial damage on a victim and while US firms incur more than double the global average, German organizations fared on par with the global average.
The most staggering costs are incurred by post-breach remediation activities such as incident response, digital forensics, system recovery, and mandatory disclosure reporting, while regulatory fines can also significantly add to cyber breach costs. Change Healthcare has forecasted an expected loss of 1.6B USD this year due to a breach that occurred in March 2024 and as discussed below, regulatory fines may be pending.
These potential damages highlight the importance of proactive security measures for preventing successful cyber attacks but also mitigating the financial impact should one occur. The Ponemon Institute found that missing security patches accounted for 57% of cyber attacks. Getting breached less often is an obvious benefit of implementing preventative cybersecurity measures, but according to IBM, organizations with proactive risk-based vulnerability management (RBVM), also experience lower than average expenses post-breach (3.98M USD) compared to organizations without such measures (4.45M USD), those suffering from a skills shortage (5.36M USD), or those deemed non-compliant with cybersecurity regulations (5.05M USD).
Cost Of The Change Healthcare Post Ransomware Attack
In March, 2024 Change Healthcare suffered a ransomware attack that has so far burdened the company with roughly 872M USD in damages, and delayed 6B USD in health insurance payments. Change Healthcare forecasts an annual expected loss of 1.6B USD due to the incident. Established in 2007, Change Healthcare is a leading healthcare technology company selling revenue cycle management, payment accuracy, and clinical data exchange services globally. A 2022 acquisition saw the company valued at 8B USD.
HIPAA Compliance Investigation Into Change Healthcare
On top of that steep damage, the US HHS Office for Civil Rights, the entity responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), has opened an investigation into the attack seeking to determine whether Change Healthcare violated its compliance requirements. The HIPAA Security Rules require covered entities to implement “recognized security practices” to protect ePHI against reasonably anticipated security threats.
Continuous vulnerability management activities are a fundamental component of all modern cybersecurity frameworks. If it can be called a bright side, the most severe penalties for HIPPA non-compliance are capped at a mere 2M USD; short change in comparison to the overall cost of response and recovery for this particular incident.
The Greenbone Vulnerability Management platform is capable of implementing customized compliance tests to meet any framework including CIS, DISA STIG, HIPAA, and more, and Greenbone is certified for both its information security management systems ISMS (ISO 27001), quality management (ISO 9000), and most recently, environmental management (ISO-14001).