Healthcare continues to have the highest data breach costs of all industries, according to a new report from IBM. It revealed that the average cost of a healthcare data breach is now $10.93 million — up from $10.10 million in 2022.
Over the past three years, the average cost of a healthcare data breach has risen by 53.3%, the report said. In 2020, it was $7.13 million.
Despite the strict data privacy regulations within the healthcare sector, the industry still experienced data breach expenses this year that cost nearly twice as much as the financial sector — where data breaches were the second costliest, with an average cost of $5.9 million.
When a hospital or other healthcare provider experiences a cyberattack, it can experience a range of negative consequences. For example, its systems may go offline, forcing clinicians to revert to paper records and delay patient care. Depending on the circumstances of the breach, the provider might also face fines for violating HIPAA. Providers also must notify their patients if their personal data has been exposed in a breach, and patients often file lawsuits against their provider after learning of this.
Additionally, hackers often demand ransom from the healthcare providers that they target. Aaron Mendes, CEO and co-founder of data privacy platform PrivacyHawk, told MedCity News last month that hospitals usually end up paying these fees.
It’s difficult to get data on the dollar amounts that ransomware gangs typically demand because hospitals usually don’t disclose this information, but Mendes said these sums certainly “aren’t insignificant amounts of money.” According to him, some cybercriminal groups ask for millions or tens of millions of dollars.
“If a ransomware attack is successful, there’s not a great way to undo the damage without paying the ransom most of the time. You end up just paying the ransom, unfortunately. And then [the hackers] unlock your systems and you have to try to figure out how they got it and then put things in place to try to prevent it from happening in the future,” Mendes explained.
In addition to the increase in the average cost of a healthcare data breach, the number of data breaches is also rising. The number of patients affected by data breaches this year is on track to exceed last year’s total — healthcare organizations have already reported more than 330 breaches affecting 43 million people, which is rapidly approaching 2022’s total of 52 million impacted patients.
The vast amount of patient data held within provider organizations make them attractive targets for cybercriminals. Unfortunately, providers’ use of legacy systems and their reliance on third parties makes them vulnerable to these cyberattacks.
Healthcare’s workforce shortage and resulting burnout crisis are making the industry even more vulnerable to cyberattacks, according to an April report from Moody’s Investors Service. For instance, burnt out employees may be more likely to fall for a phishing scam that gives way to unauthorized access. Additionally, the time and money hospitals are dedicating to addressing their staffing levels may prevent them from making necessary investments in cybersecurity technology and cyber risk awareness training for employees.
Photo: WhataWin, Getty Images