Quantifying the Financial Impact of Healthcare Ransomware Attacks

April 20, 2023 - The average cost of a healthcare ransomware attack was $4.82 million in 2021, according to IBM Security’s “Cost of a Data Breach Report.” In a new report by ThreatConnect, the cyber threat intelligence company suggested that there is more to be discovered about the true cost of a ransomware attack.

“[T]hat average attack figure takes into account a large number of incidents that cost relatively little (less than $25k) and a few that cost a lot,” the report stated. “The question is—does the average apply to you?”

ThreatConnect analyzed thousands of companies in the manufacturing, healthcare, and utility industries in order to estimate median losses to operating incomes.

“Operating income, also called income from operations, takes a company’s gross income, which is equivalent to total revenue minus [cost of goods sold], and subtracts all operating expenses,” the report explained.

Specifically, ThreatConnect quantified these losses by breaking its analysis down by small, medium, and large companies, with revenues of $500 million, $1.5 billion, and $15 billion, respectively. The report suggested that organizations consult a number that matches their industry and size rather than simply using industry averages when evaluating financial exposure to cyberattacks.

In the case of healthcare, ThreatConnect found that small organizations (defined by the report as having a revenue of $500 million) face median ransomware losses of $15.2 million, with 30 percent of estimated operating income lost. Medium-sized organizations face median losses of $26.8 million with 15.36 percent of estimated operating income lost. Finally, large organizations face $101.2 million in losses according to the report, with just 4.92 percent of estimated operating income lost.

Healthcare organizations may face financial losses tied to revenue loss and remediation costs, as well as brand damage and legal fees. Beyond financial losses, healthcare organizations may suffer operational disruptions and threats to patient safety as a result of a cyberattack.

“As we’ve outlined in the paper, using ‘average’ values to measure your financial exposure to cyber attacks doesn’t work,” ThreatConnect asserted. “Quantifying—and more importantly mitigating—cyber risk is challenging and unless you take a look at what the risk is to your environment, you run the risk of significant losses.”

Rather than focusing on averages, the report recommended that organization ask themselves what the costs of a cyberattack may be based on their specific operating environment, and how they can prioritize cyber investments to mitigate these financial and operational impacts.

“With the National Cyber Strategy coming out of the White House focusing on decreasing cyber risk from critical infrastructure and the new SEC Cyber Proposals, organizations across industries are now being tasked with reporting on cyber risk,” Jerry Caponera, GM of risk quantification at ThreatConnect said in an accompanying press release.

“Organizations are finally waking up to the fact that the impact of ransomware and other cyber attacks is more than just a moment in time. The financial implications are far-reaching and create barriers for companies to continue operations after these attacks.”