According to IBM’s 2024 Cost of a Data Breach report, healthcare has the highest breach costs of 17 industries studied
By AJ Thompson, CCO, Northdoor plc
IBM’s 2024 Cost of a Data Breach report has highlighted the increasing cost for organisations that suffer a data breach in the healthcare sector. The report found that the average cost of a data breach is now at $9.77 million, which is a staggering 67 percent higher than the global average of $4.88 million and the first highest cost of the 17 industries studied.
The report found that there were three initial attack vectors, phishing (16 percent of all breaches), compromised credentials (15 percent of all breaches) and cloud misconfiguration (12 percent of all breaches). Even though the average cost of a data breach in healthcare went down by 11 percent compared to 2023, the average total cost of a breach of 50 million records is still $375 million, with the average cost of a ransomware related breach coming in at $4.91 million.
Why is healthcare a main target for cybercriminals?
Healthcare is top of the average cost for a data breach when compared to other verticals and by some margin. The next on the list is the financial sector at $.6.08 million, followed by the industrial sector at $5.56 million.
There are a number of reasons for the huge difference in the cost of a breach. The sector is very highly regulated, which increases the cost immediately and is considered by most governments as a critical infrastructure.
The nature of the data held by healthcare organisations also means that it is an incredibly tempting target for cyber criminals. In the US, March 2024 set a new record for healthcare breaches according to the HIPAA Journal. 93 breaches of 500 or more records were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). This is a 50 percent increase from February 2024 and a 41 percent increase year-on-year from March 2023. This marked the highest number of breaches reported in a single month before the COVID-19 lockdown in 2020.
The time it takes to identify and contain a cyberattack within the healthcare sector is also worryingly high compared to the global average. IBM’s report found that it takes 213 days to identify an attack in the healthcare sector and an additional 83 days to contain it. This is compared to the global average of 194 days to identify an attack and 64 days to contain it.
Notable healthcare breaches
The Synnovis cyber-attack, thought to have been carried out by a Russian group, is a prime example of the impact of a cyberattack. The incident forced London NHS hospitals to resurrect long-discarded paper records systems in which porters hand-delivered blood test results because IT networks are disrupted.
Guy’s and St Thomas’ trust (GSTT) also went back to using paper, rather than computers, to receive the outcome of patients’ blood tests.
More recently The Information Commissioner’s Office (ICO) has imposed a provisional fine of £6million to NHS software provider, Advanced Computer Software Group. The software provider was breached in 2022, with hackers exfiltrating 82,946 medical records as well as accessing information on how to gain entry to the homes of 890 vulnerable people.
The incident not only compromised personal information, but also disrupted health services and their ability to deliver patient care, putting an under-pressure sector under further strain.
It is clear that the healthcare sector is very much in the sights of the cyber criminals. The nature and perceived value of the data as well as some of the vulnerabilities that the sector experiences (particularly third-party supply chain attacks), means that healthcare organisations have to do more to protect themselves.
The impact of the cyber skills shortage
Healthcare is seen as part of the critical national infrastructure (CNI) of a nation, and therefore cyberattacks are much more about destabilising infrastructure, as we have seen in the Synnovis attack. Threat actors know that the healthcare sector’s understaffed, under-resourced and therefore primed for disruption.
Long, busy days mean healthcare staff don’t have the time and resources to educate themselves about online risks. The potential disruption caused by a complete overhaul in security systems is just too significant for many in the healthcare sector to even consider.
Healthcare leaders are ready to increase spending on cybersecurity, but with new threats uncovered every day, it isn’t easy to know where the sector would be better off investing their budget. High demand for patient information and often-outdated systems are among the reasons healthcare is now the biggest target for online attacks.
IBM’s report found that more than half of breached organisations are facing high levels of security staffing shortages. This issue represents a 26.2 per cent increase from 2023, a situation that corresponded to an average $1.76 million more in breach costs. Even though one in five organisations say they used some form of Generative AI (GenAI) security tools, which is expected to help close the gap by boosting productivity and efficiency, the skills gap still remains an issue.
AI and Automation
This year’s report found that organisations that applied AI and automation to security prevention saw the biggest impact from their AI investments compared to three other security areas: detection, investigation and response. In total an average cost saving of $2.22 million over those organisations that didn’t deploy AI security technology.
Those who used incident response (IR) teams and testing made cost savings of $248K compared to those who didn’t use IR. Those who used an identity and access management (IAM) strategy that support hybrid environment and user experience, also made cost savings of $223K, as opposed to those who did not.
As we have seen, one of the main routes in for cyber criminals is through employees third-parties and healthcare suppliers. Supply chains in the healthcare sector tend to be incredibly large and complex and so many organisations find it almost impossible to have any insight into where vulnerabilities might lie in the network.
AI and automation’s contribution to healthcare cybersecurity goes beyond threat detection- it is incredibly proactive in prevention as well. Traditionally, security measures often rely on known patterns of attack, leaving organisations vulnerable to new and evolving threats. Using AI allows organisations to adapt to evolving threats by detecting anomalies that may not conform to established attack patterns.
AI can help identify suspicious behaviour within a healthcare sector, such as employee access patterns suddenly changing, or if there is an unusual volume of data accessed after hours. AI systems can flag these activities for investigation and this rapid detection allows security teams to respond swiftly, minimising potential damage.
Correlating data manually can also be a time consuming if not impossible task. However, AI can collect data from multiple sources, providing a comprehensive view of potential threats. This allows for early detection of advanced, multi-stage attacks that might otherwise go unnoticed.
Turning to third-party IT consultants
NHS partners that provide critical clinical services are essentially part of the organisation and therefore should be under the same levels of scrutiny as in-house departments.
The only way to do this effectively is to have a 360-degree, 24/7 overview of the whole supply chain. With internal teams struggling with workload already, many are turning to qualified third-party Security Operations Centres provided by IT services consultancies. They have teams of experts who can supplement internal teams allowing for a comprehensive view of where vulnerabilities lie. This then allows NHS organisations to have urgent conversations with supply chain partners to shut the vulnerabilities before they are exploited by cybercriminals.
Cyberattacks are not just holding organisations to ransom but patients too, some in desperate need of medical attention. With supply chain providing such a lucrative route to valuable data for cybercriminals, this risk is only going to get worse over the coming months. The NHS and similar organisations have to look to engage third-party IT consultants who can ensure that vulnerabilities are shut and critically, remain shut, keeping data, front-line services and patients safe.