THE EVENT: Idaho State University (ISU) recently agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) to settle violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule discovered after ISU notificed HHS of the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients at ISU's Pocatello Family Medicine Clinic.The breach was blamed on the disabling of firewall protections, and failure of ISU to notice the change or the lack of protection.
ISU also had to agree to a 2 year Corrective Action Plan, defining enhanced security procedures and increased reporting to HHS.
THE COST: For an exposure of 17,500 records, the $400,000 fine alone is pretty significant - more than $20/account, which is about double the likely internal costs of dealing with the breach, communicating to effected customers, offering fraud monitoring services, etc. Those costs likely add in another $200K.
The requirements of the Corrective Action Plan bring additional costs, including a Post Incident Risk Assessment, Annual Reports, etc. Probably the most onerous requirement is that ISU must notify HHS in writing every time it is discovered that an ISU employee failed to comply with a policy or procedure. I'm just going to estimate that over the two years it will average out to 1 full time equivalent at a fully loaded yearly rate of $200K per year.
I'm not going to add in any increased security or external assessment costs, since those are things the University should have been doing in the first place. Add all of this up and I estimate this breach will end up costing the University about $1M over the two year period, or roughly $500K per year. Since universities typically 5% of revenue on IT, and ISU reported $107M in revenue, that $500K per year is about 10% of the overall IT budget each year.
Since security budgets at universities typical run 4-5% of the IT budget, another way to look at it: that one incident will cost 4 times as much as the typical university the size of ISU would spend on security over two years.
THE COST OF AVOIDING THE INCIDENT: Since the breach was blamed on change in firewall policies that exposed servers, there are several Critical Security Controls that would have detected the policy violation:
- Critical Security Control 10: Secure Configurations for Firewalls, Routers and Switches is the most directly applicable. The use of firewall policy management products from vendors such as AlgoSec, Athena, Firemon, Redseal, Skybox, Solarwinds, Tripwire, Tufin, etc would have provided immediate indication.
- CSC 4: Continuous Vulnerability Assessment and Remediation tools would likely have detected internal server exposure due to firewall ports and services left open.
- CSC 14: Maintenance, Monitoring and Analysis of Audit Logs would have at least registered the policy change on firewalls as an auditable event and limited the exposure period.
The usage of firewall policy management tools is growing, but not all that common at medium-sized Universities - let's assume that would require completely new spending. I'm going to estimate $40K procurement, $15K second year maintenance costs and .1 FTE.
So, spending $75K could have completely avoided the $1M expense - not a bad ROI, especially since I'm not including any soft costs like hiring new CIOs and CISOs, dealing with regents and other board of director-like functions, etc.
Even if I worst-case it, the prevention costs do not exceed the hard avoidance costs. Vulnerability assessments and log monitoring are sort of security 101 - even a university is completely deficient if they aren't already doing those things. But I'll assume that it was being done so badly that signing up for a vulnerability scanning service and buying a mid-range SIEM product is required. I'll throw $30K/year and .1 FTE at the former, and $100K acquisition, $30K second year costs and .25 FTE at that.
Add all that up and you get about $250K of technology purchases and about $250K of increased labor - about equal to the cost of the breach. So, even in the worst case the ROI is huge if you assume a second breach was inevitable if there was no vulnerability assessment or log analysis being done.
BOTTOM LINE: It ain't hard showing security ROI. Years ago, Avivah Litan and I at Gartner did a more detailed analysis on a large breach at a large financial institution and demonstrated very similar numbers.
The Critical Security Controls give you an easy way to prioritize and justify easy but effective increases in security.