Healthcare data breaches remain most expensive of any industry

For more than a decade, the healthcare industry has seen the most expensive data breaches of any sector.

The healthcare industry continues to see more expensive breaches, and longer periods of time in containing breaches, says Limor Kessem of IBM.

And the streak is continuing, according to a new report by IBM Security.

Once again, healthcare tops all industries in the cost of cyberattacks, according to IBM’s annual “Cost of a Data Breach” report, which was released Tuesday morning. The healthcare industry has held the top spot since 2011.

The average cost of a healthcare data breach actually dropped over the last year, falling to $9.77 million in 2024, down from $10.93 million a year ago.

Still, there’s a sizable gap between healthcare and, well, everybody else.

The average cost of a data breach across all sectors was $4.88 million, so healthcare breaches were twice as expensive as the average of all industries. The financial sector has the second most expensive breaches, at $6.08 million, and the industrial sector ranked third, with $5.56 million.

“Healthcare is really suffering from data breaches,” says Limor Kessem, the global lead for cyber crisis management at IBM.

• Read more: The 10 largest health data breaches in the first half of 2024

‘Disruption is very lucrative’

In an interview with Chief Healthcare Executive®, Kessem says that the healthcare industry is more vulnerable to breaches than other sectors. Hospitals rely heavily on their electronic health records systems, so if those systems aren’t available because an attacker has breached the systems or is denying access to those records, providers will struggle to deliver patient care.

“Disruption is very lucrative there,” Kessem says. “It's not just disrupting services, it's people's lives.”

Without electronic health records, hospitals are “very eager to get out of that situation. And attackers know that.” And health systems often end up paying ransom demands to get access to their systems and records.

Plus, electronic health records continue to be tempting targets for attackers.

“These records continue to be very lucrative on the dark web, where people are selling people's information, and they can do insurance fraud, and they can do all kinds of creative things with these records,” Kessem says.

She says the healthcare industry continues to trail other sectors with more robust cybersecurity programs, an assessment shared by other experts in the field. “They're not really covering all the security bases that you should be covering,” Kessem says.

• Read more: Why hospitals struggle with cybersecurity: ‘We aren’t doing the basics’

The healthcare industry faces strict regulations on its data systems and medical devices, which makes it harder to make modifications to improve defenses, she notes.

Plus, many health systems are struggling with budget woes, and as they focus on patient care, cybersecurity sometimes doesn’t get the attention it needs, she says.

“These things keep contributing to healthcare truly suffering from data breaches,” Kessem says.

Stolen credentials

The IBM report also indicates a shift in vulnerabilities, with stolen credentials becoming a major source of breaches. Some attackers are using malware to steal usernames and passwords.

“The problem is that these stolen credentials are good enough to allow people to get into your organization and impersonate a legitimate user,” Kessem says. “This is the main issue.”

Healthcare organizations that have been breached with stolen credentials often have similar vulnerabilities, due to a lack of basic protections.

“We keep seeing the same thing,” Kessem says. “No multi-factor authentication, no ‘Zero Trust,’ nothing is limiting that access. And in this day and age, it's just a shame. If you know if attackers can just log in, like they're one of the people who work there, and just do that with stolen credentials, then that's a problem. So I can definitely see how this is impacting, you know, the overall cost of a data breach.”

Long life cycles

The healthcare industry also took more time to identify and contain breaches than any other sector. The life cycle of healthcare breaches is nearly 300 days, the IBM report found.

“I think that when the disruption hits in healthcare, it just takes longer to fix things,” Kessem says.

“When they have disruption, it's varied. It's decentralized. It's not always all in one place … if you look at big healthcare organizations, they have different facilities, different places, all of them can get hit at once. That makes it even worse, where they have a lot of ground to cover to fix things,” she explains.

• Read more: Cyberattacks of hospitals lead to busier emergency departments elsewhere

Not surprisingly, breaches with a longer life cycle tend to be more costly. Across all sectors, the average cost of a breach with a life cycle of over 200 days was $5.46 million in 2024, while those lasting less than 200 days had an average cost of $4.07 million.

Health systems nationwide faced major difficulties from the Change Healthcare ransomware attack earlier this year, because the company handles so many business functions across the industry. UnitedHealth Group, the parent company of Change Healthcare, said the impact of the attack has cost more than $2 billion. Nearly all hospitals and medical groups suffered financially due to the attack delaying the processing of claims.

A bright spot: AI

The IBM report shed light on a positive development in cybersecurity. Organizations are finding success in using AI-powered solutions in cybersecurity.

The healthcare industry is starting to see some of the benefits. One in three healthcare organizations extensively deployed security AI and automation, which lowered costs and shortened the time to contain breaches.

Across all sectors, organizations that didn’t use AI and automation in security programs saw the average cost of a breach reach $5.7 million. Conversely, the average cost of breaches was $3.8 million for organizations that had implemented AI solutions in cybersecurity.

Kessem says she’s encouraged to see more organizations using AI as part of their approach to cybersecurity.

“The more you cut down on the life cycle of the breach, it's immensely important for the team and for everybody that's being treated at that healthcare organization,” Kessem says.