Why Are Healthcare Data Breaches So Expensive?

August 31, 2023 - Healthcare data breaches can have far-ranging impacts on operations, security, and even patient safety. And to add insult to injury, breaches are more than likely to affect a healthcare organization’s bottom line.

Healthcare cybersecurity incidents have been a pernicious problem over the past few years. According to IBM Security, the average cost of a healthcare data breach rose to $11 million in 2023, signifying a $1 million increase from the previous year’s report and a 53 percent increase since 2020. The global average cost of a data breach across all sectors in 2023 was $4.45 million – a 15 percent increase over the last three years, but still only a fraction of healthcare’s breach costs.

These figures beg the question – why are healthcare data breaches so expensive?

To Gina Bertolini, a partner at K&L Gates who specializes in healthcare security and privacy, the answer to this question is multifactorial.

Health data is “harder to protect, it's more complicated to detect an incident, and it's more expensive to implement compliance measures after the fact,” Bertolini said during an interview with HealthITSecurity.

The complexity and volume of health data, paired with the highly regulated nature of the industry, make breach recovery an expensive endeavor, but proactive healthcare organizations can take steps to reduce these costs.

Volume, Scope of Health Data Increases Breach Complexity

As the healthcare sector continues to digitally transform, health data is becoming more complex. For example, the COVID-19 pandemic propelled healthcare further into a digital environment with the increasing popularity of telehealth and remote patient monitoring.

While these technologies have enabled greater operational efficiencies and access to care, they have also opened healthcare organizations up to new security risks, and more systems and devices to protect.

The tremendous volume of data that healthcare entities are creating, receiving, and processing cannot be understated and may be contributing to higher breach costs.

“We've created this superhighway of digitized information and that has upped the risk as it relates to potential breaches,” Bertolini suggested.

What’s more, Bertolini added, the 21st Century Cures Act and interoperability standards have encouraged the flow of health data, signifying a win for providers and patients, but an additional upfront compliance complexity for security and legal teams.

“The risks are so great that hospitals and healthcare providers need to invest significantly into keeping those doors closed and keeping those locks secure,” Bertolini continued.

“There is such diversity of data, which makes that hard to do. It takes a lot of smart people to figure out how all this information is coming together and being pulled into the records and figuring out how to put the right systems in place to protect all those areas of ingress and egress that might exist. The data is very complicated, and there is a huge volume of it.”

As health data gets more complex and varied, healthcare security teams may need to implement various tools and strategies to mitigate risk.

IBM’s report found that organizations with high levels of security system complexity reported higher data breach costs on average, representing an increase of 31.6 percent compared to organizations with low or no security system complexity.

In addition, health data is highly valuable to threat actors, who have been known to exfiltrate patient data and offer it for sale on the dark web. The volume, scope, value, and ever-changing nature of health data all complicate the task of protecting it from bad actors. As such, a breach of this data can incur millions in detection and recovery costs.

Healthcare is a Highly Regulated Industry

In addition to the volume and complexity of health data, healthcare is known to be a highly regulated industry when it comes to security and privacy. Regulations such as HIPAA and the Federal Trade Commission’s Health Breach Notification Rule provide patients with certain assurances about how their personal data can be used or disclosed and guarantee that they will be informed if a breach does occur.

Other industries, such as the financial sector, are also strictly regulated and may have to pay more to bounce back from a breach. In fact, the financial sector was right behind healthcare in terms of the highest breach costs by IBM’s calculations.

In addition, healthcare is one of the 16 designated critical infrastructure sectors under the US government. IBM found that critical infrastructure entities, including those in the financial services, healthcare, industrial, technology, communication, and energy sectors, incurred data breach costs that were $1.26 million higher than the average cost of breaches in other industries.

“When you have a breach, you are now looking at a forensics analysis to figure out what data elements were impacted, and who was impacted. Then there's the cost of complying with not only HIPAA but a host of state laws,” Bertolini noted.

“If you operate in multiple states, you have to understand how all those laws impact you and how to comply with those laws, and you have to make sure you have the mechanisms in place to meet those compliance requirements.”

The incident response process for healthcare cyber incidents is highly complex, as it requires collaboration between security, privacy, and legal teams.

“You really need to look at enterprise-wide, your security and privacy measures, and policies enterprise-wide to ensure that you're compliant with HIPAA and with relevant state laws because you know you're going to be subject to an investigation,” Bertolini added.

“And so you are spending time and effort making sure that you have security and privacy policies in place, that the workforce is educated, and that you are implementing the policies in the right way.”

Of course, businesses outside of healthcare and beyond critical infrastructure must also put significant effort into incident response and breach notification efforts. But with patient privacy and safety at risk, the stakes for healthcare organizations remain particularly high.

Compliance with a patchwork of state and federal laws may contribute to increased costs for the healthcare sector compared to other industries.

Tips For Reducing Healthcare Data Breach Costs

Data breach costs might be climbing, but healthcare organizations can still take action to reduce risk. Focusing on prevention and detection can help reduce the chances and impact of a data breach.

Bertolini suggested that interdepartmental collaboration and a culture of compliance are critical to reducing these costs, rather than having siloed teams.

“Having IT engage with your clinical workforce, risk management, and really understanding how data is used and where the vulnerabilities might be from a process perspective, as well as investing in the security tools that are going to best mitigate risk, are all crucial,” Bertolini noted.  

IBM’s research suggested that a shorter breach lifecycle was also directed with a reduction in costs.

“Other factors that mitigated costs included incident response planning and testing, employee training, and high usage of a DevSecOps approach,” the report noted. “On the other hand, a security skills shortage, high levels of security system complexity, and noncompliance with regulations led to increased costs.”

IBM recommended that organizations consider leveraging artificial intelligence (AI) and automation to identify and contain breaches quicker, which could lead to reduced costs.

When it comes to dealing with federal regulators in the aftermath of a breach, Bertolini suggested that “there is no good that can come from sticking your head in the sand.”

“The best approach in dealing with state and federal regulators is to understand what you need to do before the bad thing happens in order to be compliant. Have the policies in place and have the workforce in place and take steps to demonstrate that you understand what compliance is,” Bertolini noted.

“Then, when that bad thing happens, you can respond immediately and acknowledge and address it in a way that's consistent with the regulations.”

Even though the costs of preventing, detecting, and recovering from a healthcare data breach may still be steep, implementing key safeguards to mitigate risk and streamline processes can go a long way.