Cybersecurity News

IBM: Health Sector Leads in Annual Data Breach Costs, Topping $7.13M

While the average global data breach costs for all sectors was just $3.86 million, IBM finds health sector breaches are the costliest at $7.13 million due to federal and state regulations, like HIPAA.

healthcare data breach costs response recovery malicious attacks hackers cyberattacks PHI HIPAA compliance

By Jessica Davis

- Data breaches are the most expensive in healthcare when compared to all global industries with costs topping $7.13 million annually, compared to $3.86 million across all sectors, according to IBM’s annual Cost of a Data Breach report conducted by the Ponemon Institute. 

The sector has incurred the highest average breach costs for the last 10 years. Further, this year’s numbers increased 10.5 percent from the 2019 report, the highest increase among all industries. 

The report examined 524 organizations that experienced a data breach between August 2019 and April 2020 from a wide range of industries and regions. Researchers interviewed more than 3,200 individuals with knowledge into those incidents to determine the costs associated with the discovery and immediate response to the breach. 

Breach costs were tied to root causes, the length of time between detection and containing the incident, estimated cost of business disruptions, and lost customers as a result of the breach. Other factors were also examined, such as the security measures in place prior to the breach and characteristics of the organization.

Overall, breaches in the US come with the highest price tag among all other countries at $8.64 million annually, followed by the Middle East with $6.52 million and Canada with $4.5 million in annual breach costs.  

READ MORE: UPDATE: The 10 Biggest Healthcare Data Breaches of 2020, So Far

The average cost of a data breach declined slightly from last year, which calculated $3.92 million in annual data breach costs. Researchers explained this is likely due to “a growing divide in data breach costs between organizations with more advanced security processes, like automation and formal incident response teams, and those with less advanced security postures in these areas.” 

Industries with the most rigorous regulatory requirements faced the highest breach costs, which led to the healthcare sector’s hefty breach response costs, researchers noted. 

For healthcare, the research shows several additional concerning elements. 

First, the average time to identify and contain a breach was significantly higher for the sector. On average, it took all sectors an average of 207 days to identify a breach and 73 days to contain it: an average lifecycle of 280 days. 

But in healthcare, the lifecycle of a breach averaged 329 days – the longest period across all sectors. For comparison, the financial sector’s breach lifecycle was 96 days shorter. 

READ MORE: Inadequate Security, Policies Led to LifeLabs Data Breach of 15M Patients

“Fully deployed security automation helped companies reduce the lifecycle of a breach by 74 days compared to companies with no security automation deployment, from 308 to 234 days,” researchers explained. 

The report also assessed the leading causes of healthcare data breaches and found malicious attacks were behind 50 percent of the assessed incidents. Human error caused 27 percent of those breaches, followed by "system glitch" with 23 percent. 

Notably, across all examined data breaches, incidents where the attackers accessed enterprise networks through stolen or compromised credentials saw almost $1 million more in breach costs compared to the global average at about $4.77 million per incident. 

The second most expensive attack was tied to attackers exploiting third-party vulnerabilities, which cost $4.5 million across all sectors. 

These statistics are alarming, given recent reports that millions of IoT medical devices are impacted by Ripple20 vulnerabilities and there are more than 15 billion compromised credentials for sale on the dark web. 

READ MORE: Report: Unsecured, Misconfigured Databases Breached in Just 8 Hours

In response, IBM researchers provided several key recommendations for the healthcare sector.  

Administrators should work to identify and classify healthcare and medical technologies, such as IoHT and IoMT, while monitoring the behavior to protect patient care and operations. They’ll also need to document, communicate, and practice an enterprise-wide incident response plan, including members from the security, IT, human resources, public relations, legal, and C-level teams. 

Lastly, those organizations would benefit from adopting a zero trust security model, which would create self-defending systems and data and support regulatory commitments, such as HIPAA.

"When it comes to businesses' ability to mitigate the impact of a data breach, we're beginning to see a clear advantage held by companies that have invested in automated technologies," said Wendi Whitmore, vice president, IBM X-Force Threat Intelligence, in a statement.

"At a time when businesses are expanding their digital footprint at an accelerated pace and the security industry's talent shortage persists, teams can be overwhelmed securing more devices, systems and data," she added. "Security automation can help resolve this burden, not only supporting a faster breach response but a more cost-efficient one as well."