Data breaches are becoming more costly across all industries, with healthcare in the lead.

The 2023 Cost of a Data Breach Report analyzes data collected from March 2022 to March 2023. Healthcare remains a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year.

Healthcare is a highly regulated industry that the U.S. government considers critical infrastructure. As such, recent federal privacy standards, security standards and regulations developed specifically for healthcare intend to improve the overall security of healthcare entities while protecting patient data. In the face of rising costs and persistent threats, the healthcare industry must continue to innovate.

Data breaches in the healthcare industry pay a high price

A healthcare data breach is among the costliest types of data breach. The average cost of a data breach across industries was $4.45 million, yet the average cost of a healthcare data breach was the highest among all industries at $10.93 million. Healthcare has seen a significant cost increase of 53.3% over the past three years.

Personal data remains a valuable target in a healthcare data breach. Customer and employee personally identifiable information were the top two stolen data types, followed by intellectual property, anonymized personal information and other corporate data such as earnings information and client lists.

Data stored across multiple environments consisted of the highest percentage of breaches, with the highest total cost compared to other singular storage methods (public cloud, private cloud, on-premises). The time required to detect and contain a data breach averaged 291 days when data was stored across multiple environments.

Phishing moved into the top spot as the most used initial attack vector, accounting for 16% of all data breaches. Compromised credentials dropped to the number two spot, followed by cloud misconfiguration. Malicious attacks were the most reported root cause of a healthcare data breach at 56%. IT and human failure were the root cause of fewer data breaches, accounting for 24% and 20%, respectively.

Healthcare data breaches tend to last 231 days before they’re discovered, compared to 204 days across other industries. The healthcare industry experienced longer containment periods, an average of 92 days compared with other industries at 73 days. Healthcare organizations took an average of 19 days longer to contain a data breach.

Read the full report

Strict regulations require strict data protections

Healthcare is a highly regulated industry where data is regulated by the Health Insurance Portability and Accountability Act (HIPAA). Recent updates to the HIPAA Privacy and Security Rules require entities to maintain reasonable and appropriate protection of electronic health data. These rules include provisions for administrative, technical and physical safeguards of data when it’s created and transmitted. Additional privacy protections include guidelines for protecting diagnostic data. Updates to the HIPAA guidelines also include detailed requirements for timely data breach notification depending on the stakeholder type.

While the U.S. Department of Health and Human Services (HHS) does not mandate which electronic platforms healthcare organizations must use, they are encouraged to use NIST guidance documents when choosing secure platform providers.

Failure to comply with HIPAA regulations results in steep fines. The Department of Health and Human Services Office of Civil Rights (OCR) and state attorneys general are responsible for issuing HIPAA violation fines. The four-tiered HIPAA violation penalty structure takes into account the level of neglect and reasonable knowledge of potential violations a healthcare entity had before and after a data breach. Fines range based on the type and severity of a violation, but the maximum per affected record is $50,000 as of 2022. The annual penalty limit for violations that fall under each of the penalty tiers is $1,919,173 per tier. In some cases, healthcare entities may need to pay civil monetary penalties to individuals affected by a breach.

Lagging security approaches

Cybersecurity investment in healthcare tends to lag behind other industries. The healthcare industry reportedly spends 6% to 10% of its overall IT budget on cybersecurity, where the average spend is around 6%. A projected increase in cybersecurity spending after a data breach was considered by 51% of all industries surveyed, even though the cost of a data breach rises each year.

The 2023 Cost of a Data Breach report found the cost of a data breach is reduced when organizations have tools and teams dedicated to protecting and responding to data breaches. The healthcare industry experienced an average cost savings of $2 million with incident response (IR) and testing teams in place versus without IR or testing. Health organizations that deploy artificial intelligence (AI) and automation saw massive cost savings of $850,000 compared to the global average cost of a breach.

With the right tools and skilled workers, the healthcare industry can make strides toward better data protection. As healthcare data remains a valuable target and threats show no sign of slowing, the industry will need to adapt accordingly.

More from Data Protection

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Data residency: What is it and why it is important?

3 min read - Data residency is a hot topic, especially for cloud data. The reason is multi-faceted, but the focus has been driven by the General Data Protection Regulation (GDPR), which governs information privacy in the European Union and the European Economic Area.The GDPR defines the requirement that users’ personal data and privacy be adequately protected by organizations that gather, process and store that data. After the GDPR rolled out, other countries such as Australia, Brazil, Canada, Japan, South Africa and the UAE…

Third-party breaches hit 90% of top global energy companies

3 min read - A new report from SecurityScorecard reveals a startling trend among the world’s top energy companies, with 90% suffering from data breaches through third parties over the last year. This statistic is particularly concerning given the crucial function these companies serve in everyday life.Their increased dependence on digital systems facilitates the increase in attacks on infrastructure networks. This sheds light on the need for these energy companies to adopt a proactive approach to securing their networks and customer information.2023 industry recap:…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today