I used to binge Grey’s Anatomy. Before entering the world of software and cybersecurity, my only idea of a healthcare cyber-attack was how it all went down in Season 14’s eighth episode. Computers and monitors mysteriously all stop working before a hacker broadcasts an ominous ransom note on every screen in the facility. The hacker then proceeds to mess with anything with a network on the premises, even the thermostats, until a former-hacker-turned-doctor saves the day. A viewer who isn’t part of the healthcare or cybersecurity industry might not bat an eye at this neat little bow-topped conclusion, but a quick read into the stats might make them wiser.
This summer, IBM released its 18th annual “Cost of a Data Breach Report,” an in-depth, multi-faceted analysis of the effects such an attack can leave on an institution. So that’s what I’d like to take a look at today - I’ll start with a few of the most staggering statistics about the financial cost of a cybersecurity breach, followed by some healthcare-specific data, and wrap it up with some possible ways to avoid falling prey to a data breach.
Get ready for some numbers…
The report includes 17 industries, and all currency amounts are in USD. The broadest statistic is the average total cost of a breach (globally), which came out to an all-time high of $4.45 million this year. The US held onto its 13-year title for the highest data breach costs at $9.48 million, over twice the national average and a 4% increase from last year.
82% of breaches involved data stored in the cloud. 39% of breaches spanned multiple environments (as opposed to public or private) and incurred an average of $4.75 million. (For more specific stats on cloud attacks, see pages 43-45 in the report.)
Ransomware and “destructive attacks” accounted for about a quarter of malicious attacks. For at least the past 3 years, customers’ Personal Identifiable Information (PII) is consistently the most-attacked AND most expensive breach target. This year reported an all-time high of $165 per record lost/stolen.
For brevity, I’m leaving out statistics on how many days it takes to notice and resolve a breach, but the averages were all in the 200’s. I’m also leaving out the potentially devastating cost to a company’s reputation.
Healthcare is a particularly enticing target due to factors such as its overall position as a crucial infrastructure, the value of its data, and its lack of security investment. COVID-19 seems to have exacerbated the situation as well.
Healthcare data breaches cost on average about $10.93 million this year, increasing by 53.3% (more than $3 million) since 2020. For 13 consecutive years, it continues to be the industry with the most expensive data breaches; the finance industry holds second place, trailing behind it by over $5 million. A separate 2018 report found that the cost per healthcare record was over twice that of the aforementioned overall average, at a staggering $408 per record (likely higher today).
Regarding ransoms, IBM’s statistics show that paying a ransom tends to be a bit more costly than refusing it and involving law enforcement. However, articles like this one suggest that a healthcare institution may be more likely to pay the ransom anyway, due to the literal life-and-death situations a breach may cause.
Check out the chart below from page 28 of the IBM report, showing the average cost difference of breaches at organizations who employ certain cost-influencing factors. The middle demonstrates the overall average data breach cost of $4.45 million.
One of the best ways to reduce the cost of a data breach is to “build security into every stage of software development and deployment—and test regularly.” This method includes:
51% of organizations increased investment in security post-breach this year. Next to DevSecOps, the strategy most invested in post-breach is Incident Response (IR), which involves knowing ones attack surface by employing:
In regards to cloud, the report suggests modernizing data protection with the following:
Bringing it back to healthcare specifically for a moment, compliance with regulations is especially crucial. Consider the financial consequences for noncompliance shown in the chart above, the legality of non-compliance in the industry, and the cruciality of healthcare as an industry and infrastructure. As healthcare organizations are analyzing devices' cybersecurity more and more, the need for medical device manufacturers to prove that their devices are secure is becoming increasingly crucial. The Mayo Clinic’s process to ensure security is another good resource for this.
The Grey’s Anatomy episode I mentioned before contains nuggets of realism when it comes to a healthcare cyber-attack, such as the potential inclusion of law enforcement, the temporary reliance on paper-and-pen methods, the debate of whether or not to pay a ransom, and that such attacks can really cause critical life-and-death situations. But in real life, breaches tend to take several months to detect and eradicate, and the effects can linger much longer than a credits sequence.
Now, healthcare organizations are setting stringent cybersecurity requirements in the medical devices they purchase. At Promenade Software, cybersecurity is our #1 priority. We are well-versed and experienced in the aforementioned breach-resistant strategies, as well as regulations and standards. We approach medical device security with the seriousness and micro-focus it deserves. If you’d like help securing your device, implementing cloud, or have any questions about any of this, reach out to us any time.