Healthcare Industry Is Most Breached, Delaying Patient Care and Costing Millions

The healthcare industry suffers the most costly breaches at more than $10 million per incident, and is the most breached sector, according to two reports issued within the past year.

IBM Security's "Cost of a Data Breach 2022" report (download here) found that healthcare was the highest cost industry for the twelfth year in a row. The average total cost of a breach in healthcare increased from $9.23 million in 2021 to $10.10 million in 2022, an increase of 9.4%.

"Healthcare is one of the more highly regulated industries and is considered critical infrastructure by the U.S. government," according to the report.

Cyderes cites the Q4 2021 "Healthcare Cybersecurity Report," (download here) completed by the Herjavec Group of which Robert Herjavec serves as Cyderes CEO. The report expands on findings that "70% of surveyed organizations reported that healthcare ransomware attacks have resulted in longer lengths of stays in hospital and delays in procedures and tests that have resulted in poor outcomes including an increase in patient mortality."

So not only are cyberattacks on healthcare organizations costly in terms of dollars, breaches to systems are—more importantly—putting the lives of patients at risk.

From 2019 to 2021, the Herjavec report found the healthcare industry saw an increase in breaches and leaks of more than 50%. This resulted in:

• A 65% increase in the number of patients being diverted to other facilities
• Reported 70% longer lengths of stays in hospitals, delays in procedures and tests, and an increase in patient mortality
• Large amounts of Protected Healthcare Information (PHI) and other sensitive data being stolen and published
• Electronic Health Records (EHRs) being rendered temporarily inaccessible and, in some cases, permanently lost
• Overworked healthcare staff left mentally and emotionally drained
• Legacy and unpatched IT systems and applications
• Understaffed IT and cybersecurity departments
• Unsecured third-party partners

According to the IBM report, the top five most affected industries remained the same from 2021 to 2022, with healthcare inauspiciously leading the way. The other most-affected industries are, in order: financial, pharmaceuticals, technology, and energy.

• The financial industry saw an increase from $5.72 million to $5.97 million in 2022 (up 4.4%).
• The industrial industry, comprised of chemical, engineering, and manufacturing organizations, saw an increase from $4.24 million to $4.47 million  (5.4%).
• The average total cost decreased slightly in four industries: pharmaceuticals, transportation, media, and hospitality.

Cyderes notes that healthcare cybersecurity is a particularly complex and difficult task. From the report:

"With the ultimate goal of keeping patients safe while simultaneously protecting their critical and private data, it presents a challenging balancing act for cybersecurity professionals. Pile on the vast amount of IoT devices, intricate system of privileged access requirements and end-users, regulatory compliance such as HIPAA, GDPR, and NIS, and the unprecedented challenges of a worldwide pandemic and maintaining a strong cybersecurity posture can seem like an overwhelming and almost impossible undertaking."