Cybersecurity attacks cost healthcare systems more than any other sector, new report finds

A data breach within a healthcare system could cost in excess of $10 million—more than in any other sector—according to a new report.

The cost is on the rise, up about $1 million from last year. The uptick is partially due to increasingly integrated technology systems.

The report, released by IBM at the end of last month, collected national data from more than 550 organizations across industries from March 2021 to March 2022, analyzing how cybersecurity attacks impact organizations. Breaches within the healthcare sector have cost companies $10.1 million per breach, a nearly 10% increase from last year and a 42% increase from 2020. The average cost of a critical infrastructure data breach globally in any industry was just under $4.5 million.

Financial organizations experience the second-most-expensive breaches, at nearly $6 million per breach, IBM reports.

Cyberattacks can happen in many different ways, said Limor Kessem, a principal consultant in cyber crisis management for IBM’s Security X-Force. Destructive attacks and ransomware attacks—wherein hackers disrupt a hospital’s technologies, for example, and ask the hospital to pay a ransom in order to get access back—are disruptive as well as costly.

“Attacks that take place in real time cause direct losses to hospitals, which have to reroute patients, deny care, lose access to electronic health records and see the risk to human lives rise as a result of the attack,” Kessem told Crain’s. “That’s on top of staff distress and having to revert to manual procedures and paperwork.”

The stakes are particularly high for New York hospitals. According to industry standards, on average every bed in a hospital uses 15 devices that are often interconnected, including monitors and IV pumps, according to Chad Holmes, a product specialist at Cynerio, a cybersecurity company on the Upper West Side. A 1,000-bed hospital could have 15,000 devices that could all be impacted by an attack, he said.

“If a city like New York lost access, that would be really bad for ERs and could have a really bad cascading effect,” Holmes said. If patients had to be diverted from a city health system location but all sites were impacted by a breach, it could have a domino effect, he said.

Healthcare organizations are more vulnerable to cybersecurity attacks than other systems are because hackers know they are impacted more when technologies aren’t working, Kessem said. Such downtime costs organizations financially, but it also can cost lives if medical systems are disrupted.

The complexity of the technology infrastructure healthcare systems tend to use also makes them more vulnerable to attacks, Kessem said, and many organizations run outdated programs on devices they use every day, exacerbating the issue.

According to IBM’s report, highly regulated environments such as healthcare systems wind up paying for data breaches for longer compared with less-regulated industries. Typically a healthcare organization can take more than 10 months to recover from a data breach.

Download Modern Healthcare’s app to stay informed when industry news breaks.

Cynerio released a report last week that shows hospitals typically have to pay $250,000 to $500,000 to recover access to their technology after a ransomware attack, and there is no real way to recoup those costs, Holmes said. The firm asked 517 hospital leaders about the frequency of attacks; leaders reported that once their system was hit, they got hit many more times afterward. Overall, 11% of the time, healthcare systems were attacked 25 or more times.

Almost a quarter of cyberattacks Cynerio studied led to increased patient mortality, Holmes said, because attacks disrupted lifesaving medical treatment.

Sher Baig, who works in global cyber commercialization at GE Healthcare, said big hospitals can see losses of up to $50 million in a single quarter because of cyberattacks. The losses are so large they could force hospitals out of business, Baig said, punctuating the need for hospital leaders to have a defense plan in place.

“I highly recommend having an incident response plan, a team in place to carry out the response, and drilling that plan to improve over time,” Kessem said. “A special playbook for ransomware cases can not only save costs for the hospital—about 58% of the breach’s cost—but it can also save lives.”

IBM has released annual reports on the cost of data breaches for nearly two decades.

This story first appeared in our sister publication, Crain's New York Business.