The average healthcare breach now costs more than $10 million

Cyberattacks at hospitals are proving more costly, according to a new report from IBM Security. The cost of a typical breach rose by nearly $1 million over last year.

The healthcare sector continues its unenviable streak with the most costly cybersecurity attacks of any industry, and the breaches are getting more expensive.

The average healthcare breach now costs $10.1 million, according to a new IBM Security report released today. The cost of the typical healthcare breach rose by nearly $1 million over last year. IBM conducts the analysis annually.

Incredibly, this marks the 12th consecutive year that the healthcare sector has had the most expensive healthcare breaches of any industry.

Healthcare breaches are the most expensive by a substantial amount. The second most expensive attacks occurred in the financial sector, with the average breach costing about $6 million.

The pharmaceutical industry, which is listed separately from healthcare in the IBM report, ranked third, with the average breach costing about $5 million. The average breach across all industries cost $4.35 million.

The average healthcare breach is now 41.6% higher than in 2020. The average healthcare breach cost $9.2 million in 2021, and about $7.2 million in 2020.

“Healthcare has been finding itself in the cross-hairs of attackers for the past few years,” Limor Kessem, principal consultant of cyber crisis management at IBM Security, told Chief Healthcare Executive.

‘It’s fair game’

Hospitals and health systems have dealt with a greater number of cyber attacks. Part of the spike in attacks is driven by hospitals relying more on electronic health records and shifting more operations to the cloud in recent years, Kessem said.

Health systems have placed more data in the cloud but haven’t invested in cloud security, she said.

Kessem notes that the financial sector has been dealing with hackers for 30 years, so many health systems are likely not as adept at deterring hackers.

“They may be a little less experienced than other sectors like finance and insurance,” Kessem said.

Some analysts said cyberattackers and ransomware gangs would sometimes draw the line at attacking hospitals in the past, viewing that as too extreme. But Kessem said she doesn’t see much of a code of honor protecting hospitals.

“I haven’t seen a lot of that anymore … it’s fair game,” Kessem said.

Why breaches are so costly

The price of healthcare records plays a big role in the costs of breaches being so high.

“The healthcare record has a lot of information. It has information that is very hard to change,” Kessem said.

A patient’s medical record commands prices as high as $1,000 per patient record, significantly more than a credit card number, Justin Collier, chief healthcare advisor of World Wide Technology, said at the American Hospital Association Leadership Summit.

Most breaches aren’t even found for months, Kessem said. Typically, it takes 232 days to detect a breach and an additional 85 days to contain it, Kessem said. So the life cycle of the average breach is over 10 months.

“The longer the breach .. the more costly it is,” Kessem said.

The healthcare industry also faces more threats because it has a wide array of partners that have access to its systems, including vendors or other agencies. Nearly one in five healthcare breaches (17%) occurred due to a compromise by a third-party.

Plus, smaller hospitals and systems have fewer resources and staff to devote to cybersecurity, so some bad actors view them as “a little bit of lower hanging fruit,” Kessem said.

Hospitals and health systems are highly regulated, which can hamper efforts to address vulnerabilities. If a medical device is deemed to have a vulnerability that needs to be addressed, the Food and Drug Administration may have to approve the upgrade. Regulator approval can take months, which isn’t ideal for deterring hackers, Kessem said.

Threats from other countries

The hospital industry is facing more threats from nations that are sponsoring cyberattacks, partly to finance their own objectives.

Federal authorities warned healthcare organizations this month that cyber attackers backed by the North Korean government have been targeting the health sector with ransomware. Hackers backed by the Iranian government attacked Boston Children’s Hospital, but authorities said the breach was blocked before doing significant damage.

Authorities have also warned of the possibility of attacks from Russia following the invasion of Ukraine.

“Attackers have realized, hey, this is the backbone of any country,” Kessem said. “If we cause havoc there, we have a ton of leverage.’”

“It’s become very mainstream to see espionage attacks,” she said.

Improving defenses

Cybersecurity experts are warning hospitals to consider the threat of a breach to patient safety, particularly since it can take months to recover from an attack. If hospitals lose access to electronic health records, then they have to radically reconsider how they deliver patient care and could be forced to divert patients or delay procedures.

Health systems that are moving more data to the cloud have to adopt stronger cloud security, Kessem said.

Even hospitals that can’t afford big investments can do a lot to minimize the risk of a damaging breach.

Hospitals and health systems need to adapt a zero trust framework for cybersecurity.  The zero trust model analyzes users and data to ensure they aren’t compromised.

Only 21% of sectors in critical infrastructure areas, which includes healthcare, have adapted a zero trust framework, according to IBM’s report. The National Institute of Standards and Technology can assist health systems in adopting zero trust architecture, Kessem said.

Health systems, particularly smaller organizations, should adopt security automation.

“Use as much automation as possible,” she said. “It can reduce the cost of cyberattacks.” The IBM report found that in organizations with security automation, the average breach cost $3 million less.

Hospitals must have detailed recovery plans for dealing with cybersecurity attacks, Kessem and other experts say. The plan should also include contingencies for ransomware attacks and procedures for maintaining business and clinical operations.

“There’s no bulletproof response to a breach, but you can prepare,” she said.