Data breaches are becoming more costly across all industries, with healthcare in the lead.

The 2023 Cost of a Data Breach Report analyzes data collected from March 2022 to March 2023. Healthcare remains a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year.

Healthcare is a highly regulated industry that the U.S. government considers critical infrastructure. As such, recent federal privacy standards, security standards and regulations developed specifically for healthcare intend to improve the overall security of healthcare entities while protecting patient data. In the face of rising costs and persistent threats, the healthcare industry must continue to innovate.

Data breaches in the healthcare industry pay a high price

A healthcare data breach is among the costliest types of data breach. The average cost of a data breach across industries was $4.45 million, yet the average cost of a healthcare data breach was the highest among all industries at $10.93 million. Healthcare has seen a significant cost increase of 53.3% over the past three years.

Personal data remains a valuable target in a healthcare data breach. Customer and employee personally identifiable information were the top two stolen data types, followed by intellectual property, anonymized personal information and other corporate data such as earnings information and client lists.

Data stored across multiple environments consisted of the highest percentage of breaches, with the highest total cost compared to other singular storage methods (public cloud, private cloud, on-premises). The time required to detect and contain a data breach averaged 291 days when data was stored across multiple environments.

Phishing moved into the top spot as the most used initial attack vector, accounting for 16% of all data breaches. Compromised credentials dropped to the number two spot, followed by cloud misconfiguration. Malicious attacks were the most reported root cause of a healthcare data breach at 56%. IT and human failure were the root cause of fewer data breaches, accounting for 24% and 20%, respectively.

Healthcare data breaches tend to last 231 days before they’re discovered, compared to 204 days across other industries. The healthcare industry experienced longer containment periods, an average of 92 days compared with other industries at 73 days. Healthcare organizations took an average of 19 days longer to contain a data breach.

Strict regulations require strict data protections

Healthcare is a highly regulated industry where data is regulated by the Health Insurance Portability and Accountability Act (HIPAA). Recent updates to the HIPAA Privacy and Security Rules require entities to maintain reasonable and appropriate protection of electronic health data. These rules include provisions for administrative, technical and physical safeguards of data when it’s created and transmitted. Additional privacy protections include guidelines for protecting diagnostic data. Updates to the HIPAA guidelines also include detailed requirements for timely data breach notification depending on the stakeholder type.

While the U.S. Department of Health and Human Services (HHS) does not mandate which electronic platforms healthcare organizations must use, they are encouraged to use NIST guidance documents when choosing secure platform providers.

Failure to comply with HIPAA regulations results in steep fines. The Department of Health and Human Services Office of Civil Rights (OCR) and state attorneys general are responsible for issuing HIPAA violation fines. The four-tiered HIPAA violation penalty structure takes into account the level of neglect and reasonable knowledge of potential violations a healthcare entity had before and after a data breach. Fines range based on the type and severity of a violation, but the maximum per affected record is $50,000 as of 2022. The annual penalty limit for violations that fall under each of the penalty tiers is $1,919,173 per tier. In some cases, healthcare entities may need to pay civil monetary penalties to individuals affected by a breach.

Lagging security approaches

Cybersecurity investment in healthcare tends to lag behind other industries. The healthcare industry reportedly spends 6% to 10% of its overall IT budget on cybersecurity, where the average spend is around 6%. A projected increase in cybersecurity spending after a data breach was considered by 51% of all industries surveyed, even though the cost of a data breach rises each year.

The 2023 Cost of a Data Breach report found the cost of a data breach is reduced when organizations have tools and teams dedicated to protecting and responding to data breaches. The healthcare industry experienced an average cost savings of $2 million with incident response (IR) and testing teams in place versus without IR or testing. Health organizations that deploy artificial intelligence (AI) and automation saw massive cost savings of $850,000 compared to the global average cost of a breach.

With the right tools and skilled workers, the healthcare industry can make strides toward better data protection. As healthcare data remains a valuable target and threats show no sign of slowing, the industry will need to adapt accordingly.