IBM Report Finds That Cybersecurity Attacks Impact Health Care More Than Any Other Sector

Ransomware attacks occur when hackers demand health care systems pay ransoms to get access to medical devices and other technology back.

A data breach within a health care system could cost in excess of $10 million—more than in any other sector—according to a new report.

The cost is on the rise, up about $1 million from last year. The uptick is partially due to increasingly integrated technology systems.

The report, released by IBM at the end of last month, collected national data from more than 550 organizations across industries from March 2021 to March 2022, analyzing how cybersecurity attacks impact organizations. Breaches within the health care sector have cost companies $10.1 million per breach, a nearly 10% increase from last year and a 42% increase from 2020. The average cost of a critical infrastructure data breach globally in any industry was just under $4.5 million.

Financial organizations experience the second-most-expensive breaches, at nearly $6 million per breach, IBM reports.

Cyberattacks can happen in many different ways, said Limor Kessem, a principal consultant in cyber crisis management for IBM’s Security X-Force. Destructive attacks and ransomware attacks—wherein hackers disrupt a hospital’s technologies, for example, and ask the hospital to pay a ransom in order to get access back—are disruptive as well as costly.

“Attacks that take place in real time cause direct losses to hospitals, which have to reroute patients, deny care, lose access to electronic health records and see the risk to human lives rise as a result of the attack,” Kessem told Crain’s. “That’s on top of staff distress and having to revert to manual procedures and paperwork.”

The stakes are particularly high for New York hospitals. According to industry standards, on average every bed in a hospital uses 15 devices that are often interconnected, including monitors and IV pumps, according to Chad Holmes, a product specialist at Cynerio, a cybersecurity company on the Upper West Side. A 1,000-bed hospital could have 15,000 devices that could all be impacted by an attack, he said.

“If a city like New York lost access, that would be really bad for ERs and could have a really bad cascading effect,” Holmes said. If patients had to be diverted from a city health system location but all sites were impacted by a breach, it could have a domino effect, he said.

Health care organizations are more vulnerable to cybersecurity attacks than other systems are because hackers know they are impacted more when technologies aren’t working, Kessem said. Such downtime costs organizations financially, but it also can cost lives if medical systems are disrupted.

The complexity of the technology infrastructure health care systems tend to use also makes them more vulnerable to attacks, Kessem said, and many organizations run outdated programs on devices they use every day, exacerbating the issue.

According to IBM’s report, highly regulated environments such as health care systems wind up paying for data breaches for longer compared with less-regulated industries. Typically a health care organization can take more than 10 months to recover from a data breach.

Cynerio released a report last week that shows hospitals typically have to pay $250,000 to $500,000 to recover access to their technology after a ransomware attack, and there is no real way to recoup those costs, Holmes said. The firm asked 517 hospital leaders about the frequency of attacks; leaders reported that once their system was hit, they got hit many more times afterward. Overall, 11% of the time, health care systems were attacked 25 or more times.

Almost a quarter of cyberattacks Cynerio studied led to increased patient mortality, Holmes said, because attacks disrupted lifesaving medical treatment.

Sher Baig, who works in global cyber commercialization at GE Healthcare, said big hospitals can see losses of up to $50 million in a single quarter because of cyberattacks. The losses are so large they could force hospitals out of business, Baig said, punctuating the need for hospital leaders to have a defense plan in place.

“I highly recommend having an incident response plan, a team in place to carry out the response, and drilling that plan to improve over time,” Kessem said. “A special playbook for ransomware cases can not only save costs for the hospital—about 58% of the breach’s cost—but it can also save lives.”

IBM has released annual reports on the cost of data breaches for nearly two decades.

Staying current is easy with Crain's news delivered straight to your inbox, free of charge. Click below to see everything we have to offer.

Don't miss the chance to get the biggest news first! Stay connected to New York business news in print and online

Crain’s New York Business is the trusted voice of the New York business community—connecting businesses across the five boroughs by providing analysis and opinion on how to navigate New York’s complex business and political landscape.

685 Third Avenue New York, NY 10017 (212) 210-0100

High Quality Products, Reasonable Prices And Satisfactory Service

Respond To Customer After-Sales Demand Or Appeal In The Shortest Time

Export To Many Countries

IBM report finds that cybersecurity attacks impact health care more than any other sector | Crain's New York Business

Featured Products

News & Blog

linkedin

AZ COVID hospital bed use drops to lowest level in 2 years | KJZZ

UF Health North to build second hospital tower at Jacksonville campus

Pediatric Beds Market Size 2022 Demand, Global Trend, News, Business Growth, Top Key Players Paramount Bed., CHG Hospital Beds, MESPA Inc., GPC Medical Ltd., AliMed, etc – ChattTenn Sports

Pediatric Sleep App Huckleberry unveils 48,000 person survey results on parents' top sleep challenges as part of Sleep Awareness Week

News 9

Close Navigation

Biz ‘Bites:’ Idaho hospital bed and physician drought | Idaho Business Review

Share on Instagram

U.S Hospital Beds Market to Surpass US$ 1,801.4 Million by