Average health care data breach costs almost $11 million

The average cost of a health care data breach is now $10.93 million, an 8% increase from a year ago, when the average cost topped $10 million for the first time, according to IBM’s Cost of a Data Breach Report.

The health care sector continues to be a prime target for hackers, leading all other industries for the 13th consecutive year when it comes to expensive data breaches. The average cost of a data breach across all industries is $4.45 million, less than half of what the average health care breach costs.

“We're seeing a very big increase for health care organizations, probably because they're really in the crosshairs of attackers. And there is no relenting so far,” said Limor Kessem, a senior cybersecurity consultant for IBM Security, in a statement.

Despite being targeted, many health care organizations are not as sophisticated in their cybersecurity defenses because health systems have had trouble attracting top cybersecurity talent because they don’t pay as well as other industries.

“Security folks are going to work for places where they could get the bigger paycheck, and it's not always going to be a health care organization,” Kessem said. “It's a tough industry to get very skilled staff.”

Experts say that health care will continue to be a top target for hackers

“Health care will always be an attractive target for threat actors because of the valuable data they collect and store,” said Emily Phelphs, director, Cyware, in a statement. “Adversaries don't only outnumber available cybersecurity pros; they collaborate effectively too. To mitigate the risks, health care organizations should leverage automation tools that enable lean security teams to efficiently address threats, they should ensure they invest in regular security awareness training so employees are armed to recognize and avoid common threat tactics such as phishing attacks, and they should consider partnering with security providers that can act as an extension of their teams, gaining expertise that is more difficult to resource and retain internally.”

Stephen Gates, principal security SME, Horizon3.ai, says health care organizations need to do more to protect themselves.

“The health care industry is being impacted by an enormous threat landscape with vast numbers of threat actors who are looking to breach organizations' networks, steal their data, hold them for ransom, and potentially destroy their businesses,” said Gates in a statement. “The defensive technologies they have in place are proving to be insufficient in blocking today's attacks. Continuously assessing your network attack surface, finding your weaknesses, remediating them immediately, and verifying that your remediations worked is the best way organizations can stay ahead of attackers.”