Optimize Cybersecurity and Decrease Data Breach Costs in Healthcare

The frequency and sophistication of cyberattacks is on the rise across industries, and healthcare is no exception. In 2023, over 630 ransomware incidents were reported by healthcare organizations across the globe. In addition to the human costs of cyberattacks in healthcare, the average financial cost of a healthcare data breach continually exceeds other industries.

The High Cost of a Healthcare Data Breach

All data breaches involve direct and indirect costs. If your organization is attacked, you can expect direct costs to include investigation, mitigation, and potential litigation, not to mention any ransoms paid. There may also be costs associated with unplanned downtime, compromised personal data and intellectual property, and reputational damage.

According to the 2023 IBM Cost of a Data Breach report, an average hospital data breach costs $10.93 million.

Beyond the immediate financial consequences, healthcare organizations must account for the long-term impacts of an incident. For instance, if your networks are held for ransom, your organization may not be able to access information that’s essential to patient care. If the highly sensitive data you protect is stolen, your patients could endure consequences for years to come.

Healthcare Entities and Ransom Payments

The FBI does not recommend paying ransoms to cybercriminals. But healthcare organizations can’t afford to lose access to data, resources, services, and networks for extended periods, or to have sensitive patient information released or compromised.

There are many examples in the news of healthcare systems paying ransoms to regain access and save their cyber data — as well as patient lives.

Ransom Paid: $22 Million

On February 21, 2023, the ALPHV/Blackcat hacker group attacked UnitedHealth's Change Healthcare, a major medical processing company, and took files containing personal data and protected health information. The criminals infiltrated the network using stolen credentials for remote access. Approximately 11 million patient records were affected.

Ransom Paid: Undisclosed

In December 2019, Hackensack Meridian Health (HMH) in New Jersey was affected by an undisclosed ransomware attack. The attack restricted important software, postponing many medical procedures and forcing hospital staff to resort to pen and paper methods. HMH faced a class-action lawsuit following the incident.

Ransom Attacks Exploiting the COVID-19 Pandemic

As patient numbers escalated at hospitals around the world during the COVID-19 pandemic, cybercriminals took opportunities to exploit the situation. These attacks have not ceased, even as public attention to COVID-19 has dwindled. On October 9, 2023, the personal data of 815 million individuals was offered for sale on the dark web after being removed from the COVID testing database of the Indian Council of Medical Research.

Healthcare Entities and Patient Records

Patient records, which include personally identifiable information (PII) and protected health information (PHI), are highly valuable to cybercriminals — worth up to $1,000 each.

Records Breached: 190,000+

In August 2023, cybercriminals from the ransomware group Rhysida breached more than 190,000 records at Prospect Medical Holdings, a healthcare company operating more than 150 clinics and dozens of hospitals in Southern California, Connecticut, Pennsylvania, and Rhode Island. The stolen data included Social Security Numbers, passport information, drivers’ licenses, and patient files, as well as financial and legal documents.

Records Breached: 624,000

CommonSpirit Health, the largest Catholic health system in the United States, was struck by a ransomware attack in October 2022. The records of 624,000 patients, family members, and caregivers were exposed and potentially stolen. This attack contributed significantly to the organization’s $1.3 billion operating loss.

How to Minimize Healthcare Cybersecurity Attacks

Enhancing cybersecurity in healthcare is essential for safeguarding sensitive data. Creating a proactive culture of security and a multi-layered approach can create a stronger security barrier.

Set Data Access Controls

To optimize security within your organization, start by implementing robust controls like role-based access and two-factor authentication to manage access to information. Prevent unauthorized access by creating procedures to ensure all your organization’s data is encrypted during transmission and storage.

Use Technology to Guard Against Cyber Attacks

Incorporating advanced technology is key to staying ahead of cyber threats. Take advantage of AI and automation to detect unusual patterns and behaviors and deploy detection systems to monitor your network traffic for any signs of intrusion. Additionally, use an Enterprise Resource Planning (ERP) system with built-in compliance and security features.

Have a Crisis Plan in Place

Being prepared for a cybersecurity incident allows you to act faster and minimize damage. Make sure you have a well-defined incident response plan to effectively address security incidents as they arise.

Work with a Trusted Advisor

Considering the tremendous and varied costs associated with a medical data breach, it pays to be prepared. Eide Bailly’s cybersecurity professionals can help you understand your risks and prepare appropriate prevention tactics, safeguarding your systems, data, and reputation. Our managed IT services team will help eliminate the day-to-day stress of managing and supporting your business’s technology environment. From properly maintaining your network for ongoing security and stability to providing end-user support when things go wrong, we’ll keep your business healthy and protected.