Healthcare Sector Breaches Costliest of All Sectors, Hit New Record High
IBM Security and the Ponemon institute release an annual report known as one the most significant industry benchmarks. The Cost of a Data Breach analysis examines real world breaches in great detail, producing insights into the factors that impact the cost of cyber-attacks.
In the 2022 report just released, the healthcare sector stands out for
extremely high breach costs on the global average chart. Furthermore, the
sector has kept its leading position in that respect for the 12th
year in a row, setting a new record of $10.10 million in average breach costs after
rising nearly $1m from the previous year. Here are some stats to consider in
comparison:
- -
The global average of breaches across all sectors was
$4.32 million
- -
The average ransomware attack cost organizations $4.54
million
- -
The average critical infrastructure attack came in at
$4.82 million
So, what is making healthcare breaches produce costs that are more than
double what the rest of the industry loses to cyber-attacks of similar types?
In this post, we unpack some of the factors that specifically impact the
healthcare sector in that respect.
Costly Stats: More Breaches,
More Records Lost
The number of breaches in the healthcare sector has been on a
steady rise over the past decade. If breach numbers stood at double digits in
2009, by 2021, we are talking over 700 breaches in just
one year.
There has also been an increase in the number of records lost in
each breach, especially with organizations working more digitally than ever. Over 90% of clinics
and hospitals in the US have moved to EHRs and EHR platforms, often using
several platforms across health systems, without necessarily following up with
the required security. In some cases, cybercriminals were able to breach and
dump entire EHR databases and sell them in underground fraud markets for hefty
profits.
With digitization advancing across the sector, everyone is also processing
larger than ever amounts of data in clouds, which often turn out to be
poorly secured. Overall, the Cost of Data Breach report has found that while
many organizations work in the cloud, a mere 23% of those surveyed could say
they were mature on the cloud security front. This in turn translates into longer,
and costlier, detection and containment phases in case of a breach.
Interoperability is another place where issues can arise. Without
stringent security on that front, breaches can originate from business partners
and other interconnected systems. For critical infrastructure organizations,
17% of breaches started with third-party compromise.
The infrastructural complexity and insecurity of how data
is used yield damaging effects with numbers of lost records anywhere from myriads to millions at a time. The
more records are lost in a breach, the more costly it will be and carry both
short-, and longer-term impact, via regulatory fines, lawsuits, and
reputational damage. In healthcare’s case, that equation is worsened by a
higher per-record cost.
Lengthy Detection, Costly
Downtimes Entice Cybercriminals to Disrupt
The healthcare sector tops the chart in time it
takes breached organizations to detect and contain an attack. At 232 days
to detect and an additional 85 days to contain, the early parts of the attack’s
lifecycle alone take well over 10 months, giving attackers a long time to dwell
and gain leverage. This leverage later translates into more damage and higher
breach costs.
The next
factor is the disruption, and the urgency to recover. In the healthcare sector,
that urgency is what can entire cybercriminals to target. Every sector can put
an average price on the cost of unscheduled downtime. In the healthcare
sector, downtime of the EHR platform, internal systems and even a data center,
can be as costly as $7,900 per minute, according to
the Ponemon institute. Additionally, a mid-size hospital will incur at least $45,700 in losses per
hour in case of disruption, even when it is proactive.
Cybercriminals
looking for profit, and even adversarial nation states seeking a
means to disrupt, are drawn to critical organizations like the healthcare
sector where operations and downtime are considered both costly and urgent.
This is where they have more leverage and can pressure victimized organizations
to pay a ransom in hope of restoring operations sooner.
The hefty costs of downtime are unfortunately but the
tip of the iceberg here as hospitals scramble to operate through an attack that
puts patients at risk, compromises trust, reputation and employee safety for
what can seem like eternity when there is no definite end in sight. Breaches
can therefore become excessively expensive, especially if they are combined
with an extortion threat that can add the ransom payment to overall losses.
Healthcare Records: Costliest
to Buy – or Lose!
The data loss aspects of breaches, how much data, and
what types of data were lost, are part of what foretells the loss magnitude of
that breach and the down-the-line implications that also carry costs.
In the
healthcare sector, the 2022 Cost of a Data Breach report has found that nearly half
(47%) of the breaches analyzed exposed customer personal data, such as name, contact
details, SSN, date of birth, passwords, or healthcare data – representing the
most common type of breached record in the report. The unit cost here was $172-185
per record with compromised employee or customer PII compared with the
global average of $164. Multiply this number by the number of lost records, and
this one factor alone can amount to millions of dollars before any other costs
have been added.
Healthcare
data is also the costliest record for cybercriminals to obtain in dark
web shops. Unlike a stolen credit card number that can go for a few dollars,
healthcare records, and what’s inside them, go for about $250 each, and fake
birth certificates based on compromised PHI go for at least $500 in the dark
web. As a highly valuable commodity, personal health information (PHI) is often sold in cybercrime shops alongside
other PII, but what makes it so valuable is the amount of data in one record
and its extended shelf life. A credit card number can be deactivated and
swapped by your bank in minutes, but healthcare data are not the kind you can
easily change. If it’s valid now, it’s valid tomorrow, and even years down the
line.
The amounts of healthcare data that trickled
into underground markets grew considerably during the
COVID era, when attacks on hospitals increased to pressure them into paying
extortion fees. PHI is most often used for identity theft and for obtaining
services and accounts in the name of the victim. While it’s not readily usable
like a payment card, it’s been an enabler of insurance fraud, tax return fraud,
financial fraud, identity theft, and more.
In some cases, this data was sold openly via mobile chat apps and fraudster forums. So how does
this impact breach costs for healthcare providers? Lawsuits and class
actions that drag through the legal system for years. As an examples, the
2015 OPM data breach is only now (2022) settling class action suits that are
costing an additional $63 million in
settlements for the individuals whose data was compromised.
Unfortunately, stealing data is not the only way cybercriminals cause
long term damage in the healthcare sector. Cybercriminals also sell access to
compromised networks and assets within hospital networks, monetizing
backdoors and malware implants they share with other criminals, which can
be the root cause of additional breaches and ransomware extortion down the
line.
HIPAA – A Heap O’ Regulatory
Fines
One can’t talk about healthcare data without
mentioning HIPAA, the regulation governing the processing of PHI. The
healthcare sector is both a critical infrastructure constituent and one of the
most regulated industries. Companies in these sectors can see higher costs due
to regulatory fines. For example, a HIPAA violation in all categories
can cost nearly $2M in fines alone. Cybercriminals are well-aware of the
penalties that regulators will impose for a data breach, and they use that as
leverage to get paid, adding more costs to the growing losses from the breach.
Long Tail Costs
Connecting regulation with another undesired effect,
regulated industries also see long tail of costs that accumulate down the line.
Long tail costs of a breach impact both the victimized organization and those
who do business with it as partners, vendors, customers, and employees. They
are linked with what ends up happening with the data, and what befalls those
whose data was compromised.
Over time,
long tails costs can come in the shape of lawsuits, regulatory penalties,
reputational damage, customer churn. Victims are likely to suffer identity and
insurance fraud, financial fraud, pay legal fees, and lose untold amounts of time
to overturning the results of the damages related with the breach.
In highly regulated industries, such as
healthcare, an
average of 24% of data breach costs were accrued more than two years
after the breach occurred, adding to a bottom line that keeps growing well
after the breach has ended.
Healthy Strategies to Lower Healthcare Breach Costs
Be Prepared
There is no bulletproof way to stop a breach. These damaging events can
happen any day, and thus, the more prepared one is, the better they can contain
and limit damage. Building maturity into cyber crisis management and incident response strategies is
a powerful way to prepare. These two proactive essentials should have
meticulous plans and playbooks that organizations can fall back on in case of
an unexpected, whole-of-business crisis.
This is also a major cost mitigator and lowering breach costs is ever
more meaningful in the healthcare sector. Investments in incident response
teams and plans reduced data breach costs. Companies with an incident response
team, that also tested their incident response plan, had an average breach cost
that was 54.9% lower than those who did not.
Go Zero
Trust
A Zero Trust security
strategy can help organizations increase their cyber resiliency and manage the
risks of a disconnected business environment, while still allowing users access
to the appropriate resources. It’s a model and plan that uses context to
securely connect the right users to the right data at the right time under the
right conditions, while also protecting your organization from cyber threats.
-
From the report, organizations with a mature zero trust
strategy had an average data breach cost that was $1.76 million lower than
those who didn’t deploy this approach at all.
Security
Automation
Automating security operations helps minimize the duration and impact of
cyberattacks by automating manual tasks, allowing your team to focus on
high-value investigations – especially where security staff is scarce and
harder to recruit. One example is automatically correlating security alerts
against threat intelligence feeds for malicious indicators and integrates
malware analysis into incidents after sandbox detonation.
Security automation is the most meaningful way to better control the
security posture and reduce the impact and cost of data breaches.
From the report, organizations with a “fully deployed” security automation strategy had
an average breach cost of only $2.90 million – whereas those with no automation
experienced more than double that cost at $6.71 million.
Cloud
Strategy and Security
Maturity Go Hand in Hand
Moving data to clouds and working more efficiently via the cloud is
today’s, and tomorrow’s, reality. But lagging on cloud security should not be,
especially that the costs and agility of security in the cloud are better than
on-prem deployments.
Modernizing both cloud infrastructure and the security that helps keep
data secure is a cost saver and can limit the blast radius of attacks if ever
they occur. From the report:
-
Cloud Modernization Maturity Speeds Detection &
Response: Organizations
who were further along in their cloud modernization were able to detect and
respond to incidents 77 days faster than those who were in early-stage adoption
(252 vs. 329 days)
-
Hybrid Cloud Approach Saves: Organizations that had implemented a
hybrid cloud approach had the lowest data breach costs compared with those who
had a primarily public or primarily private cloud approaches.
Identity
& Access
Identity
is everything. So, you need to treat every access point to it as the gateway to
your organization’s most valuable resources. With compromised user credentials continuing to be a
leading cause and effect of data breaches, companies should invest in
modernizing their Identity and Access (IAM) approaches, especially
when it comes to cloud IAM. There are many
great basics here, one of which is ensuring the use of multi-factor
authentication, which has been helping to curb cybercriminals’ ability to use stolen
credentials.
You should also consider
offsetting password reliance with options for alternate forms of authentication
such as biometrics and authenticator apps – which can help add an additional
level of security, with minimal user friction. And, an “adaptive access” approach that leverages AI and contextual
analytics, can help identify high risk and modify the level of authentication
needed for each access request. Smart, modern identity solutions deliver a
low-friction, secure experience for every user, asset and data interaction,
providing a foundation for your Zero Trust strategy.
Get the complete set of insights
from this year’s Cost of a Data Breach report and join us on our upcoming
webinar: ibm.biz/breach-report
Top findings and recommendations webinar ibm.biz/breach-webinar
Comments
Post a Comment