Costs of health care data breaches continue to soar: report

©hafakot-stock.adobe.com

Health care data breaches continue to become more costly.

The average health care data breach has reached $10.93 million, according to a new report from IBM Security. That’s an 8% jump from a year ago, when the average cost topped $10 million for the first time.

IBM Security compiles annual reports on the cost of breaches, and the health care industry suffers more costly data breaches than any other sector. In fact, it’s the 13th consecutive year that health care surpassed all other industries in the average cost of a breach. By comparison, the average cost of a data breach across all industries is $4.45 million.

Since the COVID-19 pandemic began, the average cost of a health care data breach has risen 53%, the report found.

“We're seeing a very big increase for health care organizations, probably because they're really in the crosshairs of attackers,” Limor Kessem, CISM, a senior cybersecurity consultant for IBM Security, told Medical Economics’ sister brand Chief Healthcare Executive®. “And there is no relenting so far.”

The report comes amidst a rise of data breaches and ransomware attacks affecting hospitals and health systems. This month, HCA Health care disclosed a cyberattack that could have affected as many as 11 million patients.

Attackers have discovered that health systems are vulnerable, and more accessible than organizations in other sectors. “Attackers who are highly skilled typically … have an easier time,” Kessem said. “And so they go for these major organizations that have a lot of patients. And then the larger breaches are extremely costly.”

Scarcity of talent

Health care organizations have trailed other industries in their cybersecurity defenses, Kessem said. Hospitals and health systems have had trouble attracting top cybersecurity talent, because other industries pay better.

“Security folks are going to work for places where they could get the bigger paycheck, and it's not always going to be a health care organization,” he said. “It's a tough industry to get very skilled staff.”

After health care, the financial sector was second in terms of cost, with the price tag of the average breach reaching $5.9 million. The pharmaceutical industry ranked third, with the average cost of a breach at $4.8 million, a slight drop from $5 million in 2022.

Health care organizations maintain enormous amounts of data on patients, including health records and financial information, making them appealing targets for ransomware attacks. They also work with hundreds of vendors, making them vulnerable to breaches outside their organization.

“It's a big attack surface, and it's very diversified,” Kessem noted. “It's really hard to protect.”

Silence is costly

In Kessem’s view, cyberattackers and ransomware gangs are becoming more adept at infiltrating organizations.

“They do it all day, every day,” Kessem said. “That's all they do. They know everybody's network. Sometimes they sit in networks for a while, and they watch everything. They go undetected for quite a while. They really find everything around, and that's their bread and butter.”

While the report focuses on the high costs of cyberattacks to health care and other sectors, Kessem says it also underscores the value of working with law enforcement when a breach occurs. Those who keep quiet and decline to call authorities are losing time and money, the report suggests.

Organizations that contacted authorities in a ransomware attack saved $470,000 in the average cost of a breach, compared to those who didn’t go to law enforcement. In addition, the report says those working with law enforcement contained a breach more quickly (273 days vs. 306 days).

“As a consultant, I get the question every single time: Should we bring in law enforcement? Or would it just make things worse or complicate things? And do we need more people here, it's already a mess, and so on,” Kessem said. “And it turns out that those who do bring in law enforcement will save about 33 days in the containment of the breach and save almost half a million dollars. So that's really good news.” Even so, 37% of ransomware victims studied do not contact authorities.

Protecting data

Many organizations don’t detect breaches on their own, the report states. Across all sectors, only one out of three breaches are found by an organization’s security team. In other cases, the breaches were found by a third party, or the attackers informed organizations they’ve been hacked.

Kessem suggested that health care organizations develop a more comprehensive view of protecting all of their patient data, including images of their patients.

“I think that health care organizations have to really think about: what data do we have, and how can we better protect it? Go to that encryption, find new encryption techniques, and schemes and adapt to the type of data you have,” she said.

Organizations that do better on cybersecurity have strong engagement from their top leaders. “They have an executive team that is actually interested in driving cybersecurity initiatives,” Kessem said. “And when they engage and take on a cybersecurity project, you see participation and hard work from those senior management teams. So it's not left just to the technical teams … It's really a joint effort, and everybody is part of it.”