The average breach costs in healthcare surpassed $10 million, with the industry maintaining its the top rank for costliest industry breaches for the 12th consecutive year, according to IBM X-Force’s latest Cost of a Data Breach Report.
The average total cost of a breach in healthcare increased 9.4% from $9.2 million in the 2021 report to $10.1 million in 2022.
The study also found healthcare organizations have a higher breach cycle than any industry, requiring nearly 11 months to identify and contain a breach.
“In recent years, we’ve increasingly seen cybercriminals rely on the concept of leverage,” says John Hendley, head of strategy at IBM Security X-Force. “Healthcare is simply a very attractive and lucrative target as operations and downtime are considered both costly and urgent.”
Malicious actors use this sense of urgency as leverage to pressure their victims – often through ransomware attacks.
Another key factor driving up costs in healthcare is the very nature of healthcare records as static data, Hendley explains.
“When your credit card information is compromised, your bank will issue you a new card and you can proceed as usual; however, healthcare data fundamentally doesn’t change,” he says. “This means these records are far more valuable and, therefore, easily monetized on the dark web.”
As such, those bundles of compromised data have a much higher per record cost (about $250 per record) than the average breached record. To put it into perspective, the average data breach cost in healthcare is 80% higher than the global average (of $4.35 million).
“Finally, because of the complexity of healthcare environments, this industry sees the longest breach cycles than any other industry, which contributes to higher costs,” he says. “The longer it takes to identify and contain a breach, the higher the costs businesses will incur.”
The report shows that healthcare organizations required 232 days to detect and an additional 85 days to contain a data breach.
Hendley says the most troubling finding from the report is actually the same across all industries: breaches are contributing to the rising cost of everything.
“According to the study, 60% of businesses increased prices on their products or services because of their data breach,” he points out. “Imagine the route a scalpel takes to get from raw materials to the hand of a surgeon, and how many organizations are involved in that supply chain.”
First, there’s the company that mines and refines the metal, the company that shapes it into the tool and packages it, the logistics companies that get it where it needs to go, the hospital itself, and the insurance and billing companies that must keep track of its use.
“Now, how many of those companies have had breaches? Well, on average, our study shows it’s 83% – or four of those five,” he explains. “Many have had more than one.”
He says those costs from downtime associated with the compromise, time spent responding, and any associated regulatory fines all go somewhere, and it’s increasingly being passed to the consumer, almost like a kind of “cyber tax.”
Hendley says cyber events need to stop being considered an abstract issue and start being framed for what they are: a significant factor capable of stressing the global economy, just as pressing a matter as COVID, Russia’s war on Ukraine, or other supply chain issues.
“Now in its 12th consecutive year as the costliest industry, it’s clear that healthcare institutions need to invest in their security to avoid paying these costs in breach fines and damages in the future,” he adds.
From his perspective, it’s essential they prepare for the next breach – because there will be a next breach.
“I’m a hacker, and I’ve been inside the networks and systems of hospitals, medical supply companies, pharmaceutical organizations, and more,” he says. “There is always a way in. Always.”
But all is not lost, and he says healthcare organizations can “absolutely” fight back against modern threat actors.
“The best way to do that is creating an incident response plan and playbooks,” he says. “What do we do in the event of a breach? Who do we mobilize? What’s the protocol? How can we quickly contain the incident? The answers to these questions should be thoroughly documented and regularly tested so they know what to do in the event of a real-life cyber crisis.”
Further, while this is a longer-term process, a zero-trust security strategy can help healthcare institutions better manage the risks of their often disconnected and complex environments, while still allowing users access to the appropriate resources.
“Finally, if you’re looking for a very basic step, organizations should review their identity and access management implementations to force use of multifactor authentication,” Hendley says. “Just this one step greatly helps curb cybercriminals’ ability to use stolen credentials, which is one of their favorite methods of initial compromise.”
Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: firstname.lastname@example.org