Healthcare tops industries affected by data breaches

Photo: Joos Mind/Getty Images

While data breaches affect all industries, healthcare suffers the largest financial hit, according to data compiled by the Ponemon Institute.

This year, the average cost of a data breach reached an all-time high of $4.4 million. That's a 2.3% increase from 2022, and, taking the long-term view, the average cost has increased 15.3% from the 2020 report.

Since 2020, healthcare data breach costs specifically have increased 53.3%, representing a considerable rise in recent years. This is the 13th consecutive year the health industry reported it had the most expensive data breaches, averaging $10.9 million in cost.

While data breach costs continued to rise, the participants were almost equally split on whether they plan to increase security investments because of a data breach. The top areas identified for additional investments included incident response (IR) planning and testing, employee training, and threat-detection and response technologies.

WHAT'S THE IMPACT?

Only one-third of companies discovered their data breaches through their own security teams, highlighting a need for better threat detection. Sixty-seven percent of breaches were reported by a benign third party or by the attackers themselves. When attackers disclosed a breach, it cost organizations nearly $1 million more compared to internal detection.

This year's research shows that excluding law enforcement from ransomware incidents led to higher costs. While 63% of respondents said they involved law enforcement, the 37% that didn't also paid 9.6% more and experienced a 33-day longer breach life cycle.

Cloud environments were frequent targets for cyberattackers in 2023. Attackers often gained access to multiple environments, with 39% of breaches spanning multiple environments and incurring a higher-than-average cost of $4.75 million.

Organizations that reported low or no security system complexity experienced an average data breach cost of $3.84 million in 2023. Those with high levels of security system complexity reported an average cost of $5.28 million, representing an increase of 31.6%.

Luckily there are some factors that appear to ameliorate some of these costs. Integrated security testing in the software development process showed sizable ROI in 2023. Organizations with high adoption saved $1.68 million compared to those with low or no adoption. Compared to other cost-mitigating factors, integrated security testing demonstrated the largest cost savings.

And in addition to being a priority investment for organizations, IR planning and testing also emerged as a highly effective tactic for containing the cost of a data breach. Organizations with high levels of IR planning and testing saved $1.49 million compared to those with low levels.

Organizations that reported low or no security-system complexity experienced an average data breach cost of $3.84 million in 2023. Those with high levels of security-system complexity reported an average cost of $5.28 million, representing an increase of 31.6%.

THE LARGER TREND

A 2022 report from law firm BakerHostetler showed consumers are increasingly suing organizations over data breaches. Healthcare comprises 23% of lawsuits due to data breaches. The next highest is business and professional services, at 17%, followed by finance and insurance (15%), education (12%) and manufacturing (10%).

Of all industries, healthcare also logged the highest initial ransom demand from hackers and bad actors, at more than $8.3 million. The average ransom that was actually paid was far lower, at about $876,000, but that was still the highest average amount paid across all industries.

One of the few bright spots for the industry was in "days to acceptable restoration," or the amount of time it took to return to normal. For healthcare, it was 6.1 days, the second-fastest behind the energy and technology sector, at 4.6 days.
 

Twitter: @JELagasse
Email the writer: Jeff.Lagasse@himssmedia.com