For 13 consecutive years, healthcare data breaches have been the most expensive of any industry.
A report released this week from technology giant IBM paints a troubling but likely familiar picture for healthcare executives tasked with cybersecurity efforts. Over the past three years, the average cost of breaches to healthcare organizations has grown more than 50%, topping out at $10.93 million per breach so far this year, the report said.
Environmental complexity, staff shortages and the length of time it takes to detect and contain breaches all add to the price tag, Limor Kessem, senior managing consultant of cyber crisis management at IBM, said in an interview. The costs of detecting and containing breaches have gone up as well, comprising about a third of the total price of a breach, Kessem said.
Healthcare organizations "face unique challenges that would give attackers a different attack surface -- sometimes a lot bigger than they would encounter somewhere else," Kessem said.
In the past three months, healthcare companies have reported three of the biggest data breaches since 2010. On July 10, Nashville-based hospital system HCA Healthcare reported a data security incident that may have compromised personal information from approximately 11 million patients. In May, the Health and Human Services data breach portal listed a hack of Managed Care of North America, a benefits administrator, which affected nearly 9 million patients. PharMerica, a pharmacy services company, reported a breach the same month affecting 5.8 million individuals.
Cybersecurity threats to healthcare organizations have grown exponentially in the last few years, according to a report published earlier this month by managed security company Trustwave. Nearly 25% of cyberattacks in 2022 targeted the healthcare industry, according to data cited in the report.
While IBM’s data from a separate report placed the percentage lower, at around 5.8% of the total, Kessem said healthcare organizations will remain targets because patient records are relatively difficult to change.
“If you have a credit card number that's lost or stolen, you can have the bank change it the next day,” Kessem said. “But if you have healthcare information and stuff your insurance uses, it's a lot harder to modify that -- if at all.”