Data breaches are becoming more costly across all industries, with healthcare in the lead.

The 2023 Cost of a Data Breach Report analyzes data collected from March 2022 to March 2023. Healthcare remains a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year.

Healthcare is a highly regulated industry that the U.S. government considers critical infrastructure. As such, recent federal privacy standards, security standards and regulations developed specifically for healthcare intend to improve the overall security of healthcare entities while protecting patient data. In the face of rising costs and persistent threats, the healthcare industry must continue to innovate.

Data breaches in the healthcare industry pay a high price

A healthcare data breach is among the costliest types of data breach. The average cost of a data breach across industries was $4.45 million, yet the average cost of a healthcare data breach was the highest among all industries at $10.93 million. Healthcare has seen a significant cost increase of 53.3% over the past three years.

Personal data remains a valuable target in a healthcare data breach. Customer and employee personally identifiable information were the top two stolen data types, followed by intellectual property, anonymized personal information and other corporate data such as earnings information and client lists.

Data stored across multiple environments consisted of the highest percentage of breaches, with the highest total cost compared to other singular storage methods (public cloud, private cloud, on-premises). The time required to detect and contain a data breach averaged 291 days when data was stored across multiple environments.

Phishing moved into the top spot as the most used initial attack vector, accounting for 16% of all data breaches. Compromised credentials dropped to the number two spot, followed by cloud misconfiguration. Malicious attacks were the most reported root cause of a healthcare data breach at 56%. IT and human failure were the root cause of fewer data breaches, accounting for 24% and 20%, respectively.

Healthcare data breaches tend to last 231 days before they’re discovered, compared to 204 days across other industries. The healthcare industry experienced longer containment periods, an average of 92 days compared with other industries at 73 days. Healthcare organizations took an average of 19 days longer to contain a data breach.

Read the full report

Strict regulations require strict data protections

Healthcare is a highly regulated industry where data is regulated by the Health Insurance Portability and Accountability Act (HIPAA). Recent updates to the HIPAA Privacy and Security Rules require entities to maintain reasonable and appropriate protection of electronic health data. These rules include provisions for administrative, technical and physical safeguards of data when it’s created and transmitted. Additional privacy protections include guidelines for protecting diagnostic data. Updates to the HIPAA guidelines also include detailed requirements for timely data breach notification depending on the stakeholder type.

While the U.S. Department of Health and Human Services (HHS) does not mandate which electronic platforms healthcare organizations must use, they are encouraged to use NIST guidance documents when choosing secure platform providers.

Failure to comply with HIPAA regulations results in steep fines. The Department of Health and Human Services Office of Civil Rights (OCR) and state attorneys general are responsible for issuing HIPAA violation fines. The four-tiered HIPAA violation penalty structure takes into account the level of neglect and reasonable knowledge of potential violations a healthcare entity had before and after a data breach. Fines range based on the type and severity of a violation, but the maximum per affected record is $50,000 as of 2022. The annual penalty limit for violations that fall under each of the penalty tiers is $1,919,173 per tier. In some cases, healthcare entities may need to pay civil monetary penalties to individuals affected by a breach.

Lagging security approaches

Cybersecurity investment in healthcare tends to lag behind other industries. The healthcare industry reportedly spends 6% to 10% of its overall IT budget on cybersecurity, where the average spend is around 6%. A projected increase in cybersecurity spending after a data breach was considered by 51% of all industries surveyed, even though the cost of a data breach rises each year.

The 2023 Cost of a Data Breach report found the cost of a data breach is reduced when organizations have tools and teams dedicated to protecting and responding to data breaches. The healthcare industry experienced an average cost savings of $2 million with incident response (IR) and testing teams in place versus without IR or testing. Health organizations that deploy artificial intelligence (AI) and automation saw massive cost savings of $850,000 compared to the global average cost of a breach.

With the right tools and skilled workers, the healthcare industry can make strides toward better data protection. As healthcare data remains a valuable target and threats show no sign of slowing, the industry will need to adapt accordingly.

More from Data Protection

How secure are green data centers? Consider these 5 trends

4 min read - As organizations increasingly measure environmental impact towards their sustainability goals, many are focusing on their data centers.KPMG found that the majority of the top 100 companies measure and report on their sustainability efforts. Because data centers consume a large amount of energy, Gartner predicts that by 2027, three in four organizations will have implemented a data center sustainability program, which often includes implementing a green data center.“Responsibilities for sustainability are increasingly being passed down from CIOs to infrastructure and operations…

Why maintaining data cleanliness is essential to cybersecurity

3 min read - Data, in all its shapes and forms, is one of the most critical assets a business possesses. Not only does it provide organizations with critical information regarding their systems and processes, but it also fuels growth and enables better decision-making on all levels.However, like any other piece of company equipment, data can degrade over time and become less valuable if organizations aren’t careful. What’s even more dangerous is that neglecting data hygiene can expose organizations to a number of security…

Router reality check: 86% of default passwords have never been changed

4 min read - Misconfigurations remain a popular compromise point — and routers are leading the way.According to recent survey data, 86% of respondents have never changed their router admin password, and 52% have never adjusted any factory settings. This puts attackers in the perfect position to compromise enterprise networks. Why put the time and effort into creating phishing emails and stealing staff data when supposedly secure devices can be accessed using "admin" and "password" as credentials?It's time for a router reality check.Rising router risksRouters…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today