For bad cyber actors there’s a lot to love about the healthcare industry. Consider the sheer mass of sensitive information of high monetary and intelligence value stored by hospitals and healthcare systems: Social Security numbers; credit card and bank account numbers; and intellectual property related to medical research and innovation.
It’s no wonder healthcare breach costs hit a new record high this past year, according to IBM Security’s “Cost of a Data Breach Report 2022.” The average breach in healthcare increased by nearly $1 million to reach $10.1 million in 2022, a year-over-year increase of $870,000 or 9.4%. In fact, healthcare breach costs have been the most expensive industry for 12 years, consecutively, rising by 41.6% since the 2020 report. (Among the top five industries, financial organizations had the second highest costs — averaging nearly $6 million — followed by pharmaceuticals, $5.01 million; technology, $4.97 million; and energy, $4.72 million.)
According to the report, by comparison the global overall average cost of a data breach is $4.35 million. Data breaches in the U.S. are even more costly, averaging over $9 million. And it isn’t just large entities caught in the line of fire. IBM’s report also found that 83% of all companies will experience a data breach soon, meaning institutions of all sizes are at risk.
Healthcare is one of the more highly regulated industries and is considered critical infrastructure by the U.S. government. Data breaches in high data protection regulatory environments tend to see their related costs accrue in later years following the breach, according to the report.
“The difference between low and high regulatory environments showed up in a pronounced way two years or more after the data breach — the ‘longtail’ costs,” the report states. “In highly regulated industries, an average of 24% of data breach costs were accrued more than two years after the breach occurred.”
This result compares to an average of 8% of costs accrued more than two years after a breach in low regulatory environments. In low regulatory environments, data breach costs tended to accrue in the first three to six months — where an average of 24% of data breach costs accrued.
Interestingly, the 2018 installment of IBM Security’s report found that stolen health records may sell up to 10 times or more than stolen credit card numbers on the dark web. Worse still, the cost to remediate a breach in healthcare is almost three times that of other industries — averaging $408 per stolen health care record versus $148 per stolen non-health record.
So what are some key cyber hardening tactics that hospitals, medical facilities and healthcare systems can deploy to better protect their sensitive data? Lisa J. Pino, director, Office for Civil Rights, U.S. Department of Health and Human Services, writes in a blog that risk analyses conducted by healthcare entities to often only cover the electronic health record. Strengthening an organization’s cyber posture must go much farther, she warns.
“I cannot underscore enough the importance of enterprise-wide risk analysis. Risk management strategies need to be comprehensive in scope,” Pino says. “You should fully understand where all electronic protected health information [ePHI] exists across your organization — from software, to connected devices, legacy systems, and elsewhere across your network.”
For many organizations under the healthcare industry umbrella, it’s high time to review your risk management policies and procedures to prevent or mitigate these concerns, Pino says. Here are four best practices:
- Maintaining offline, encrypted backups of data and regularly test your backups;
- Conducting regular scans to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface;
- Regular patches and updates of software and Operating Systems; and
- Training your employees regarding phishing and other common IT attacks.
For additional guidance on how to start implementing organizational cybersecurity best practices, check out CISA Cyber Essentials, produced by the Cybersecurity & Infrastructure Security Agency, and the Cyber Essentials Starter Kit.