Data breaches cost the healthcare sector an average of $6.5 million per breach, over 60 percent more than all other business sectors, according to a Ponemon Institute report, sponsored by IBM. Other sectors spend about $3.9 million, on average.
Researchers interviewed 500 global organizations that experienced a data breach in the last year. The researchers found for the ninth consecutive year the healthcare sector is still the hardest hit financially by data breaches.
The costs are directly related to legal, technical, and regulatory functions, including patient notifications, breach detection and response, and lost business caused by reputational damage, loss of consumer trust, and downtime.
What’s more, loss of business has remained the largest breach expense for the last five years among all industries, with a cost of $1.42 million, or 35 percent, on average.
The Ponemon report also showed some of these costs are also associated with the highly regulated nature of the healthcare sector, which can add to the financial impact. Healthcare had higher costs in the second and third years than other sectors.
About 67 percent of the costs occurred during the first year after a breach, 22 percent during the second, and 11 percent in the years that followed the two-year mark.
The researchers also found breach costs have increased 5 percent in healthcare in the past year. In fact, health providers will spend $429 per each lost or stolen record – up from $408 per record in 2018. The cost is about three times more per record than all other sectors.
Breach costs are rising across all sectors at 12 percent, with the impact lasting for several years after the initial incident, the report showed. The financial impact is directly related to increased regulation, the complexity of criminal cyberattack resolution, and the financial impact that can last for several years.
Further, the financial impact of breaches is twice as much in the US than other countries, at an average of $6.5 million. And those costs have increased 130 percent in the past 14 years. The average cost of a breach in the US was $3.5 million in 2006.
Those costs also varied by organization size, with small- to medium-sized organizations spending 5 percent of annual revenue, or $2.5 million to recover.
These numbers are especially concerning given a recent CHIME and KLAS report that found small providers are not keeping pace with necessary cybersecurity measures, like risk management, and governance.
Also concerning, malicious or criminal cyberattacks were behind 51 percent of all breaches and are the costliest in terms of recovery at 25 percent higher than breaches caused by system or insider error. These attacks have increased 21 percent from 2014 to 2019.
What’s worse is that it took the breached US organizations an average of 245 days to identify and contain a breach. However, the report tied breach response directly to cost saving. Organizations that detected and contained the breach in less than 200 days spent $1.2 million less on total breach costs.
Lastly, organizations that focus on incident response can reduce the time it takes to respond and had a direct correlation to overall costs. Those that had these measures in place reduced their breach costs by $1.23 million, compared to those organizations without those functions.