Healthcare organizations have always been attractive targets for cyber criminals due to the valuable information they possess. Stolen health records commonly fetch prices on the dark web up to 10 times higher than stolen credit card numbers.
Since the pandemic, healthcare organizations have faced heightened vulnerability. The overwhelming demand for services and the need to expand IT infrastructure for telehealth and other initiatives led to cybersecurity taking a back seat to patient care. Criminals increasingly exploit this fact with targeted phishing campaigns and ransomware.
This article provides an overview of the key cybersecurity in healthcare statistics to help you understand the unique challenges this industry faces.
Overall Cybersecurity Stats in Healthcare
All statistics in this article are based on official data from the U.S. Department of Health and Human Services (HHS). They are the authoritative source on healthcare data breaches and the regulatory body for HIPAA, a federal law that regulates the privacy of protected health information.
The HHS largely relies on organizations to self-report breaches. However, as violating HIPAA can result in significant fines and penalties, there is a high risk of underreporting. Beyond the legal implications, a breach can also damage an organization's reputation, prompting them to keep quiet.
Here are the essential healthcare cybersecurity statistics:
- The healthcare industry faces significantly higher costs for remediating a data breach compared to other sectors, with an average of $408 per stolen healthcare record versus $148 per stolen non-health record.
- Over the past five years, mega breaches involving more than one million records have nearly doubled.
- The average cost of a data breach involving one million compromised records costs the healthcare organization almost $40 million.
- Detection and containment of mega breaches takes longer than smaller-scale breaches, with an average time of 365 days versus 266 days.
- In the case of mega breaches, the most significant expense category is the cost associated with lost business. Representing one-third of the total costs, lost business amounts to nearly $118 million for breaches involving 50 million records.
- A report by Health IT Security revealed that approximately 24 percent of healthcare employees in the United States have not received cybersecurity awareness training.
- The most critical vulnerability is the human factor, contributing to 74 percent of all breaches. Cybercriminals use proven tactics such as social engineering and phishing to exploit individuals and deceive them into clicking on malicious links or attachments.
- According to a survey conducted among healthcare IT professionals, approximately 60 percent of respondents identified email as the primary point of compromise for breaches, highlighting the importance of email security best practices.
- Since the start of the COVID-19 pandemic, ransomware attacks have seen a drastic increase across all industries, with healthcare being disproportionately targeted. The HIMSS cybersecurity survey revealed that in 2020, 70 percent of hospitals experienced significant cybersecurity incidents.
- In 2022, there were 11 reported healthcare data breaches affecting more than 1 million records, along with 14 data breaches impacting over 500,000 records. Seventy-one percent of reported breaches were hacking incidents, with a significant number involving ransomware.
A total of 24 U.S.-based healthcare organizations fell victim to successful ransomware attacks in 2022, impacting 289 hospitals. To learn more, read our article on ransomware in healthcare.
Healthcare Cybersecurity Statistics in 2022 and 2023
Cyber attacks on healthcare organizations have stabilized since the pandemic spike. However, they haven't reverted to pre-pandemic levels and will likely stay elevated.
The HHS reported a declining number of data breaches for the first time since 2015. However, the decline was minimal (1.13 percent) and resulted in 707 reported breaches involving 500 or more records.
Despite this reduction, 2022 still ranked as the second-worst year regarding the number of reported incidents. Furthermore, there was a decrease in the number of breached records, with a 13.15 percent drop from 54.09 million records in 2021 to 51.9 million in 2022. This decline indicates some progress in mitigating the scale of each breach, although the overall frequency remains a concerning issue.
Additionally, in 2022, hackers increasingly targeted the business associates of healthcare providers. Business associates are individuals or organizations that provide services to healthcare providers and have access to protected health information (PHI). Throughout the year, business associates self-reported 127 data breaches, while an additional 394 reported breaches involved business associates. These figures amount to a 337 percent increase since 2018. Notably, last year was the first time data breaches reported by business associates surpassed those reported by healthcare providers.
phoenixNAP’s HIPAA-ready hosting is specifically designed to meet the stringent privacy requirements of the healthcare industry. Through robust encryption, strict access controls, and comprehensive data backup and recovery capabilities, we provide unmatched protection for sensitive health information, prioritizing the security and confidentiality of patient data.
Between January 1 and June 30, there were 336 significant health data breaches affecting approximately 41.4 million individuals. This number is nearly double the number of individuals affected during the same period in the previous year. However, compared to mid-2022, the overall number of significant health data breaches is slightly lower thus far in 2023. This contrast suggests that while the number of affected individuals has increased, the overall number of breaches has declined slightly.
According to reports submitted to the HHS, hacking was behind 252 of the 336 incidents in 2023, translating to 75 percent of all breaches. These hacking incidents impacted nearly 37.3 million people, accounting for approximately 90 percent of all individuals affected.
Out of the breaches reported so far this year, 125 of them, or nearly 40 percent, involved business associates. These breaches affected around 21 million people, representing about half of the individuals impacted by major health data breaches. Notably, almost all business associate breaches, bar 23, were a result of hacking.
The largest health data breach reported this year involved ransomware attacks on Managed Care North America (MCNA), based in Fort Lauderdale, Florida. MCNA is a business associate that supports state Medicaid agencies and children's health insurance programs. This breach had far-reaching consequences, affecting over 100 client organizations, including departments of health and human services in different states. Approximately 9 million individuals were impacted by the MCNA breach.
The largest healthcare data breach to date was suffered by Anthem Inc. in 2015. The attack affected a staggering 78.8 million people and in the aftermath, Anthem had to allocate approximately $230 million for remediation. This sum included $115 million to settle lawsuits, $39.5 million to resolve the state attorneys general investigation, and $16 million to address the HIPAA audit conducted by the HHS.
Healthcare Cybersecurity Predictions for 2024
We can only prepare ourselves for what lies ahead by identifying emerging trends.
Here are four healthcare cybersecurity predictions for 2024.
1. Healthcare Organizations Will Invest More into Cybersecurity
The latest HIMSS Healthcare Cybersecurity Survey reveals that most healthcare organizations allocate 6 percent or less of their IT budget to cybersecurity. However, there are clear indications that healthcare entities will recognize the importance of securing their data in the future.
Cybersecurity Ventures predict healthcare cybersecurity budgets will grow at a rate of 15 percent year-over-year in the next five years, resulting in a cumulative value of $125 billion between 2020 and 2025.
2. Staff Shortages Will Worsen
Workforce challenges are a significant concern in cybersecurity, with the shortage of qualified professionals being a well-known issue. In the healthcare sector, a lack of staff was identified as the primary barrier to establishing robust cybersecurity programs by 61 percent of respondents of the latest HIMSS Healthcare Cybersecurity Survey.
Retaining qualified candidates is also a challenge, according to 66 percent of respondents. Cybersecurity staff is highly sought after, and healthcare cybersecurity, particularly, requires a unique balance between the confidentiality, integrity, and availability of information.
The shortage of cybersecurity staff in healthcare will likely persist and potentially worsen as the increasing reliance on digital technologies and the growing volume of healthcare data contribute to the demand for skilled professionals. Additionally, competition from other industries will hinder the recruitment and retention of cybersecurity staff.
3. Automation Will Play a Crucial Role in Cybersecurity
The combination of staff shortages and increased budgets will drive a growing reliance on intelligent intrusion detection systems. These systems can autonomously identify and respond to threats in real-time, minimizing the period between threat detection and mitigation.
Often leveraging artificial intelligence (AI) and machine learning (ML), these systems continuously analyze vast amounts of data, identify patterns, and predict potential vulnerabilities, strengthening overall security.
4. Zero Trust Will Become an Essential Requirement
Zero trust security represents a moving away from a perimeter-based approach to access controls to a model that verifies and authenticates every user and device seeking access, regardless of their location or network.
The adoption of zero-trust architecture has demonstrated substantial benefits in terms of cost savings. IBM's 2022 cost of a data breach report reveals that organizations with mature zero trust on average saved nearly $1 million per breach. This represents a 20.5 percent reduction compared to organizations without zero trust measures.
Currently, only 41 percent of organizations across all sectors employ a zero-trust security architecture. Given its potential to effectively reduce costs, it is highly probable that zero-trust security will become the standard in the years to come.
The digital transformation has allowed healthcare providers to instantly access a broad range of high-quality data, enabling them to make more informed decisions faster. However, alongside these benefits, healthcare now faces new challenges. Effectively defending against these evolving threats requires an ongoing commitment to information security risk management.
While healthcare organizations have made notable advancements in their cybersecurity programs, many challenges persist. These obstacles include limited security budgets, inadequate staffing and training, and the escalating number of cyberattacks.
Prioritizing the human element in security is essential to fostering a culture of awareness and responsibility. This proactive approach, which combines technical safeguards with a strong human-centric focus, is the path forward for healthcare organizations to establish a resilient cybersecurity posture and break free from a decade-long downward trend.