Data breaches are becoming more costly across all industries, with healthcare in the lead.

The 2023 Cost of a Data Breach Report analyzes data collected from March 2022 to March 2023. Healthcare remains a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year.

Healthcare is a highly regulated industry that the U.S. government considers critical infrastructure. As such, recent federal privacy standards, security standards and regulations developed specifically for healthcare intend to improve the overall security of healthcare entities while protecting patient data. In the face of rising costs and persistent threats, the healthcare industry must continue to innovate.

Data breaches in the healthcare industry pay a high price

A healthcare data breach is among the costliest types of data breach. The average cost of a data breach across industries was $4.45 million, yet the average cost of a healthcare data breach was the highest among all industries at $10.93 million. Healthcare has seen a significant cost increase of 53.3% over the past three years.

Personal data remains a valuable target in a healthcare data breach. Customer and employee personally identifiable information were the top two stolen data types, followed by intellectual property, anonymized personal information and other corporate data such as earnings information and client lists.

Data stored across multiple environments consisted of the highest percentage of breaches, with the highest total cost compared to other singular storage methods (public cloud, private cloud, on-premises). The time required to detect and contain a data breach averaged 291 days when data was stored across multiple environments.

Phishing moved into the top spot as the most used initial attack vector, accounting for 16% of all data breaches. Compromised credentials dropped to the number two spot, followed by cloud misconfiguration. Malicious attacks were the most reported root cause of a healthcare data breach at 56%. IT and human failure were the root cause of fewer data breaches, accounting for 24% and 20%, respectively.

Healthcare data breaches tend to last 231 days before they’re discovered, compared to 204 days across other industries. The healthcare industry experienced longer containment periods, an average of 92 days compared with other industries at 73 days. Healthcare organizations took an average of 19 days longer to contain a data breach.

Read the full report

Strict regulations require strict data protections

Healthcare is a highly regulated industry where data is regulated by the Health Insurance Portability and Accountability Act (HIPAA). Recent updates to the HIPAA Privacy and Security Rules require entities to maintain reasonable and appropriate protection of electronic health data. These rules include provisions for administrative, technical and physical safeguards of data when it’s created and transmitted. Additional privacy protections include guidelines for protecting diagnostic data. Updates to the HIPAA guidelines also include detailed requirements for timely data breach notification depending on the stakeholder type.

While the U.S. Department of Health and Human Services (HHS) does not mandate which electronic platforms healthcare organizations must use, they are encouraged to use NIST guidance documents when choosing secure platform providers.

Failure to comply with HIPAA regulations results in steep fines. The Department of Health and Human Services Office of Civil Rights (OCR) and state attorneys general are responsible for issuing HIPAA violation fines. The four-tiered HIPAA violation penalty structure takes into account the level of neglect and reasonable knowledge of potential violations a healthcare entity had before and after a data breach. Fines range based on the type and severity of a violation, but the maximum per affected record is $50,000 as of 2022. The annual penalty limit for violations that fall under each of the penalty tiers is $1,919,173 per tier. In some cases, healthcare entities may need to pay civil monetary penalties to individuals affected by a breach.

Lagging security approaches

Cybersecurity investment in healthcare tends to lag behind other industries. The healthcare industry reportedly spends 6% to 10% of its overall IT budget on cybersecurity, where the average spend is around 6%. A projected increase in cybersecurity spending after a data breach was considered by 51% of all industries surveyed, even though the cost of a data breach rises each year.

The 2023 Cost of a Data Breach report found the cost of a data breach is reduced when organizations have tools and teams dedicated to protecting and responding to data breaches. The healthcare industry experienced an average cost savings of $2 million with incident response (IR) and testing teams in place versus without IR or testing. Health organizations that deploy artificial intelligence (AI) and automation saw massive cost savings of $850,000 compared to the global average cost of a breach.

With the right tools and skilled workers, the healthcare industry can make strides toward better data protection. As healthcare data remains a valuable target and threats show no sign of slowing, the industry will need to adapt accordingly.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today