IBM Security and the Ponemon institute release an annual report known as one the most significant industry benchmarks. The Cost of a Data Breach analysis examines real-world breaches in great detail, producing insights into the factors that impact the cost of cyber-attacks.

In the 2022 report just released, the healthcare sector stands out for extremely high breach costs on the global average chart. Furthermore, the sector has kept its leading position in that respect for the 12th year in a row, setting a new record of $10.10 million in average breach costs after rising nearly $1 million from the previous year. Here are some stats to consider in comparison:

• The global average of breaches across all sectors was $4.32 million
• The average ransomware attack costs organizations $4.54 million
• The average critical infrastructure attack came in at $4.82 million

So, what is making healthcare breaches produce costs that are more than double what the rest of the industry loses to cyber-attacks of similar types? In this post, we unpack some of the factors that specifically impact the healthcare sector in that respect.

Costly stats: More breaches, more records lost

The number of breaches in the healthcare sector has been on a steady rise over the past decade. If breach numbers stood at double digits in 2009, by 2021, we are talking over 700 breaches in just one year.

There has also been an increase in the number of records lost in each breach, especially with organizations working more digitally than ever. Over 90% of clinics and hospitals in the US have moved to EHRs and EHR platforms, often using several platforms across health systems, without necessarily following up with the required security. In some cases, cybercriminals were able to breach and dump entire EHR databases and sell them in underground fraud markets for hefty profits.

With digitization advancing across the sector, everyone is also processing larger than ever amounts of data in clouds, which often turn out to be poorly secured. Overall, the Cost of Data Breach report has found that while many organizations work in the cloud, a mere 23% of those surveyed could say they were mature on the cloud security front. This in turn translates into longer, and costlier, detection and containment phases in case of a breach.

Interoperability is another place where issues can arise. Without stringent security on that front, breaches can originate from business partners and other interconnected systems. For critical infrastructure organizations, 17% of breaches started with third-party compromise.

The infrastructural complexity and insecurity of how data is used yield damaging effects with numbers of lost records anywhere from myriads to millions at a time. The more records are lost in a breach, the more costly it will be and carry both short-, and longer-term impact, via regulatory fines, lawsuits, and reputational damage. In healthcare’s case, that equation is worsened by a higher per-record cost.

Lengthy detection, costly downtimes entice cyber criminals to disrupt

The healthcare sector tops the chart in the time it takes breached organizations to detect and contain an attack. At 232 days to detect and an additional 85 days to contain, the early parts of the attack’s lifecycle alone take well over 10 months, giving attackers a long time to dwell and gain leverage. This leverage later translates into more damage and higher breach costs.

The next factor is the disruption, and the urgency to recover. In the healthcare sector, that urgency is what can entire cybercriminals to target. Every sector can put an average price on the cost of unscheduled downtime. In the healthcare sector, downtime of the EHR platform, internal systems and even a data center, can be as costly as $7,900 per minute, according to the Ponemon institute. Additionally, a mid-size hospital will incur at least $45,700 in losses per hour in case of disruption, even when it is proactive.

Cybercriminals looking for profit, and even adversarial nation states seeking a means to disrupt, are drawn to critical organizations like the healthcare sector where operations and downtime are considered both costly and urgent. This is where they have more leverage and can pressure victimized organizations to pay a ransom in hope of restoring operations sooner.

The hefty costs of downtime are unfortunately but the tip of the iceberg here as hospitals scramble to operate through an attack that puts patients at risk, compromises trust, reputation and employee safety for what can seem like eternity when there is no definite end in sight. Breaches can therefore become excessively expensive, especially if they are combined with an extortion threat that can add the ransom payment to overall losses.

Healthcare records: Costliest to buy — or lose!

The data loss aspects of breaches, how much data, and what types of data were lost, are part of what foretells the loss magnitude of that breach and the down-the-line implications that also carry costs.

In the healthcare sector, the 2022 Cost of a Data Breach report has found that nearly half (47%) of the breaches analyzed exposed customer personal data, such as name, contact details, SSN, date of birth, passwords, or healthcare data – representing the most common type of breached record in the report. The unit cost here was $172-185 per record with compromised employee or customer PII compared with the global average of $164. Multiply this number by the number of lost records, and this one factor alone can amount to millions of dollars before any other costs have been added.

Healthcare data is also the costliest record for cybercriminals to obtain in dark web shops. Unlike a stolen credit card number that can go for a few dollars, healthcare records, and what’s inside them, go for about $250 each, and fake birth certificates based on compromised PHI go for at least $500 in the dark web. As a highly valuable commodity, personal health information (PHI) is often sold in cybercrime shops alongside other PII, but what makes it so valuable is the amount of data in one record and its extended shelf life. A credit card number can be deactivated and swapped by your bank in minutes, but healthcare data are not the kind you can easily change. If it’s valid now, it’s valid tomorrow, and even years down the line.

The amounts of healthcare data that trickled into underground markets grew considerably during the COVID era, when attacks on hospitals increased to pressure them into paying extortion fees. PHI is most often used for identity theft and for obtaining services and accounts in the name of the victim. While it’s not readily usable like a payment card, it’s been an enabler of insurance fraud, tax return fraud, financial fraud, identity theft, and more.  In some cases, this data was sold openly via mobile chat apps and fraudster forums. So how does this impact breach costs for healthcare providers? Lawsuits and class actions that drag through the legal system for years. As an examples, the 2015 OPM data breach is only now (2022) settling class action suits that are costing an additional $63 million in settlements for the individuals whose data was compromised.

Unfortunately, stealing data is not the only way cybercriminals cause long-term damage in the healthcare sector. Cybercriminals also sell access to compromised networks and assets within hospital networks, monetizing backdoors and malware implants they share with other criminals, which can be the root cause of additional breaches and ransomware extortion down the line.

HIPAA — A heap o’ regulatory fines

One can’t talk about healthcare data without mentioning HIPAA, the regulation governing the processing of PHI. The healthcare sector is both a critical infrastructure constituent and one of the most regulated industries. Companies in these sectors can see higher costs due to regulatory fines. For example, a HIPAA violation in all categories can cost nearly $2M in fines alone. Cybercriminals are well-aware of the penalties that regulators will impose for a data breach, and they use that as leverage to get paid, adding more costs to the growing losses from the breach.

Long tail costs for highly regulated sectors

Connecting regulation with another undesired effect, regulated industries also see long tail of costs that accumulate down the line. Long tail costs of a breach impact both the victimized organization and those who do business with it as partners, vendors, customers, and employees. They are linked with what ends up happening with the data, and what befalls those whose data was compromised.

Over time, long tails costs can come in the shape of lawsuits, regulatory penalties, reputational damage, customer churn. Victims are likely to suffer identity and insurance fraud, financial fraud, pay legal fees, and lose untold amounts of time to overturning the results of the damages related with the breach.

In highly regulated industries, such as healthcare, an average of 24% of data breach costs were accrued more than two years after the breach occurred, adding to a bottom line that keeps growing well after the breach has ended.

Healthy strategies to lower healthcare breach costs

Be prepared

There is no bulletproof way to stop a breach. These damaging events can happen any day, and thus, the more prepared one is, the better they can contain and limit damage. Building maturity into cyber crisis management and incident response strategies is a powerful way to prepare. These two proactive essentials should have meticulous plans and playbooks that organizations can fall back on in case of an unexpected, whole-of-business crisis.

This is also a major cost mitigator and lowering breach costs is ever more meaningful in the healthcare sector. Investments in incident response teams and plans reduced data breach costs. Companies with an incident response team, that also tested their incident response plan, had an average breach cost that was 54.9% lower than those who did not.

Go zero trust

A zero trust security strategy can help organizations increase their cyber resiliency and manage the risks of a disconnected business environment, while still allowing users access to the appropriate resources. It’s a model and plan that uses context to securely connect the right users to the right data at the right time under the right conditions, while also protecting your organization from cyber threats.

• From the report, organizations with a mature zero trust strategy had an average data breach cost that was $1.76 million lower than those who didn’t deploy this approach at all.

Security automation

Automating security operations helps minimize the duration and impact of cyberattacks by automating manual tasks, allowing your team to focus on high-value investigations – especially where security staff is scarce and harder to recruit. One example is automatically correlating security alerts against threat intelligence feeds for malicious indicators and integrates malware analysis into incidents after sandbox detonation.

Security automation is the most meaningful way to better control the security posture and reduce the impact and cost of data breaches.

From the report, organizations with a “fully deployed” security automation strategy had an average breach cost of only $2.90 million – whereas those with no automation experienced more than double that cost at $6.71 million.

Cloud strategy and security maturity go hand in hand

Moving data to clouds and working more efficiently via the cloud is today’s, and tomorrow’s, reality. But lagging on cloud security should not be, especially since the costs and agility of security in the cloud are better than on-prem deployments.

Modernizing both cloud infrastructure and the security that helps keep data secure is a cost saver and can limit the blast radius of attacks if ever they occur. From the report:

• Cloud Modernization Maturity Speeds Detection & Response: Organizations who were further along in their cloud modernization were able to detect and respond to incidents 77 days faster than those who were in early-stage adoption (252 vs. 329 days)
• Hybrid Cloud Approach Saves: Organizations that had implemented a hybrid cloud approach had the lowest data breach costs compared with those who had a primarily public or primarily private cloud approach.

Identity and access

Identity is everything. So, you need to treat every access point to it as the gateway to your organization’s most valuable resources.  With compromised user credentials continuing to be a leading cause and effect of data breaches, companies should invest in modernizing their Identity and Access (IAM) approaches, especially when it comes to cloud IAM. There are many great basics here, one of which is ensuring the use of multi-factor authentication, which has been helping to curb cybercriminals’ ability to use stolen credentials.

You should also consider offsetting password reliance with options for alternate forms of authentication such as biometrics and authenticator apps – which can help add an additional level of security, with minimal user friction. And, an “adaptive access” approach that leverages AI and contextual analytics, can help identify high risk and modify the level of authentication needed for each access request. Smart, modern identity solutions deliver a low-friction, secure experience for every user, asset and data interaction, providing a foundation for your zero trust strategy.

Get the complete set of insights from this year’s Cost of a Data Breach report and join us on our upcoming webinar: ibm.biz/breach-report

Top findings and recommendations webinar ibm.biz/breach-webinar

Book a consult with an X-Force expert ibm.biz/book-a-consult