For the 12th year in a row, the average cost of a breach in healthcare exceeds $10 million, according to the latest IBM X-Force Cost of a Data Breach Report .
Average total non-compliance costs in healthcare increased 9.4% from $9.2 million in the 2021 report to $10.1 million in 2022.
The study also found that healthcare facilities have a higher cycle of breaches than any industry, taking nearly 11 months to identify and contain breaches.
“In recent years, we’ve increasingly seen cybercriminals rely on the concept of leverage,” said John Hendley, director of strategy at IBM Security X-Force. “Healthcare Just a very attractive and lucrative target as operations and downtime are considered expensive and urgent. “
Malicious actors use this sense of urgency as leverage to pressure victims – often through ransomware attacks.
Another key factor driving up healthcare costs is the nature of healthcare records as static data, Hendry explained.
“When your credit card information is compromised, Your bank will give you a new card and you can proceed as usual; however, the health care data is largely unchanged,” he said. “That means the records are much more valuable and therefore easily found on the dark web. profit. “
Therefore, the per-record cost of these compromised packets is much higher (~$250 per record) than the average breaching record. To put it another way, the medical The average cost of a data breach in healthcare is 80% higher than the global average ($4.35 million).
“Finally, due to the complexity of the healthcare environment, the breach cycle in this industry longer than any other industry, and that has resulted in higher costs,” he said. “The longer it takes to identify and contain breaches, the higher the costs for businesses. “
Report shows it took healthcare organizations 232 days to detect and an additional 85 days to contain a data breach.
Hendley said , the report’s most troubling finding is actually the same across all industries: data breaches drive up the cost of everything.
“According to the study, 60% of businesses A data breach raises the price of a product or service,” he noted. “Imagine the route a scalpel takes from raw material to the surgeon and how many organizations are involved in that supply chain. “
First of all, there is a company that mines and refines the metal, the company that processes the metal into tools and packs it, the logistics company that gets the metal to where it needs to go, the hospital itself , as well as insurance and billing companies that have to track their usage.
“Now, how many of these companies have breaches? Well, on average, our research says it’s 83 percent — or four of those five,” he explained. “Many people have more than one. “
He said the downtime associated with compromise, response time, and any associated regulatory fines are somewhere and increasingly passed on to consumers, almost to the point of Like a kind of “cyber tax.”
Hendley says cyber incidents need to stop being seen as abstract issues and start being framed for what they are: a A significant factor in stress, as pressing as COVID, Russia’s war on Ukraine, or other supply chain issues.
“Now the highest cost industry for the 12th year in a row, it’s clear that Healthcare organizations need to invest in their safety to avoid paying these cost non-compliance fines and damages in the future,” he added.
From his point of view, this is the It’s critical that they prepare for the next breach – because there will be another breach.
“I’m a hacker, I’ve been in hospitals, medical facilities Supply companies, pharmaceutical organizations, etc. in networks and systems,” he said. “There is always a way to get in. always. “
But all is not lost, he said healthcare organizations can “absolutely” fight back against modern threat actors.
“Most A good approach is to have an incident response plan and a manual,” he said. “What do we do if there is a breach? Who are we mobilizing? What is the agreement? How can we quickly control events? The answers to these questions should be thoroughly documented and regularly tested so they know what to do in the event of a real-life cyber crisis. “
Additionally, while this is a long-term process, a Zero Trust security strategy can help healthcare organizations better manage the risky disconnected and complex environments they often face, while at the same time Users are still allowed access to the appropriate resources.
“Finally, if you are looking for a very basic step, organizations should review their identity and access management implementation to enforce the use of multi-factor authentication ,” Hendry said. “This step greatly helps curb the ability of cybercriminals to use stolen credentials, which is one of their favorite methods of initial compromise. “
Nathan Eddy is a healthcare and technical freelancer living in Berlin.
Email the author: [email protected]
Twitter: @dropdeaded209
