The economic reality of cybersecurity attacks in healthcare

Beyond the direct costs of a data breach, healthcare providers grapple with long-term economic consequences such as service disruptions leading to lost revenue, increased insurance premiums, and the daunting task of rebuilding patient trust and organizational reputation. In the wake of recent HHS settlements due to data breaches, organizations have experienced added costs to accompany the reality of these costs. 

The lifecycle of a data breach from a cost perspective

The IBM Cost of a Data Breach report illustrates that the lifecycle is critically analyzed through two main metrics: "time to identify" and "time to contain". These metrics assess the effectiveness of an organization's incident response (IR) and containment processes.

A shorter data breach lifecycle is directly associated with reduced data breach costs. Specifically, a lifecycle of fewer than 200 days correlates with an average cost of USD 3.93 million, whereas a longer lifecycle of more than 200 days incurs an average cost of USD 4.95 million. This distinction highlights a 23% cost difference, translating to cost savings of USD 1.02 million for breaches contained within a shorter timeframe. The effectiveness of incident response strategies is important to this cost differentiation. For example, organizations that both formed an IR team and tested their IR plan were able to identify and contain breaches 54 days faster than those that did not employ either strategy, resulting in a more efficient breach lifecycle of 252 days compared to 306 days for organizations lacking both approaches.

Moreover, the adoption of specific security practices and technologies influences the mean cost of a data breach. For instance, organizations facing security system complexity, a shortage of security skills, and noncompliance with regulations experienced higher breach costs. Breaches in environments with high levels of security skills shortage had an average cost of USD 5.36 million, underscoring the financial impact of lacking essential cybersecurity expertise.

See also: What is a data breach?

Direct costs: The immediate impact of cyber attacks on healthcare providers

Incident response and recovery expenses

IR strategies and tactics help mitigate the impact of data breaches, with specific approaches proving significantly effective. The most impactful IR strategy involves the combined effort of forming an Incident Response team and rigorously testing the IR plan. Organizations adopting both strategies identified breaches 54 days faster than those without any IR preparations, demonstrating a notable reduction in the duration to identify and contain breaches to 252 days, compared to 306 days for those lacking both strategies. Interestingly, testing the IR plan alone, even without forming a dedicated IR team, nearly matched the effectiveness of the combined strategy, reducing breach identification and containment time by 48 days.

Additionally, the utilization of threat intelligence services has shown to expedite breach detection, with organizations employing these services identifying breaches 28 days faster than those not using threat intelligence. This reflects a 13.9% faster identification rate, emphasizing the value of having actionable insights into cyber threats and vulnerabilities to enhance an organization's security posture. Moreover, a proactive approach to vulnerability and risk management, involving activities like vulnerability testing and red teaming, has been linked to lower data breach costs. Organizations that prioritized a risk-based analysis approach experienced data breach costs averaging $3.98 million.

Legal and regulatory fines

Regulative bodies, such as the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), impose fines when healthcare organizations fail to adequately protect patient information. 

Two instances of HHS crackdowns on noncompliance provide an example of the consequences. In the case of Green Ridge Behavioral Health, the OCR announced a settlement of $40,000 after an investigation into a ransomware attack that compromised the organization's electronic health records. This settlement was due to Green Ridge's failure to conduct an accurate risk analysis, implement security measures to reduce risks and vulnerabilities, and sufficiently monitor health information systems for suspicious activity. 

In the other case, Doctors' Management Services faced a $100,000 fine as part of their settlement with the OCR, following a significant ransomware attack affecting over 200,000 individuals. This fine was imposed due to deficiencies in identifying risks and vulnerabilities to their electronic protected health information (ePHI), insufficient monitoring to protect against cyberattacks, and inadequate policies and procedures under the HIPAA Security Rule. 

Ransom payments: To pay or not to pay?

In 2023, ransomware and destructive attacks emerged as significant threats in the cybersecurity landscape, accounting for 24% and 25% of malicious attacks, respectively. The 2023 report highlights the substantial financial and operational impact of these attacks on organizations. Specifically, the average cost of a ransomware attack rose to $5.13 million, marking a 13% increase from the previous year's average of $4.54 million. Similarly, destructive attacks, which render systems inoperable, also saw a cost increase to an average of $ 5.24 million, up 2.3% from $5.12 million in the previous report.

The study further explores the implications of involving law enforcement in containing ransomware attacks, revealing that organizations cooperating with law enforcement experienced significant benefits. The average cost for those not involving law enforcement was $5.11 million, compared to $4.64 million for those that did, resulting in a 9.6% or $470,000 cost reduction. Moreover, the total time to identify and contain a ransomware breach was 33 days shorter with law enforcement involvement, highlighting the effectiveness of such cooperation in mitigating the impact of ransomware breaches.

Regarding the decision to pay the ransom, the findings indicate minimal cost savings. Organizations that paid the ransom saw only a slight reduction in the total cost of the breach, amounting to $5.06 million compared to $5.17 million for those that did not pay, excluding the ransom's cost itself. 

Indirect costs: Long-term economic consequences for healthcare organizations

Impact on healthcare service delivery

With an average cost of $400 per patient record breached, the results of data breaches often result in a reduction in funds available for operational costs. In healthcare, the direct cost of service disruption can vary but remains substantial. For example, if a hospital's operations are halted for several days, the lost revenue from outpatient visits alone could amount to hundreds of thousands of dollars, not counting the additional costs of diverting emergency services or postponing elective surgeries.

Reputational damage and patient trust

The reputational damage from a cybersecurity breach can have long-term financial repercussions for healthcare organizations. Patient trust is paramount in healthcare, and when sensitive health information is compromised, patients may choose to seek care elsewhere. The cost of reputational damage is harder to quantify but can be reflected in decreased patient volumes and reduced engagement with services. Businesses could lose half their customers following a data breach, with healthcare organizations potentially facing even higher losses due to the sensitivity of health information. 

Increased insurance premiums

Following a cybersecurity breach, healthcare organizations often face increased premiums for cyber liability insurance, reflecting the heightened risk profile assessed by insurers. The cost of cyber insurance has been rising steadily, with premiums increasing by as much as 26% to 47% in some cases, according to industry reports. For a healthcare organization, this could translate into additional tens of thousands to hundreds of thousands of dollars in annual insurance costs, depending on the size of the organization and the coverage limits.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is a data breach?

A data breach is a security incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen without authorization.

What happens if I don't pay the ransom?

If you don't pay the ransom in a ransomware attack, you risk losing access to your encrypted files indefinitely, but it also avoids funding criminal activities and may encourage seeking alternative recovery methods.