During the height of lockdown and the pandemic, we saw cybercriminals actively target and attack healthcare institutions worldwide. The impact was, in some cases, catastrophic, with hospitals unable to treat patients and labs that were researching possible cures and treatments for COVID shut down.
The latest Cost of a Data Breach report from IBM has confirmed what many in the sector have suspected, that the healthcare industry is impacted more than any other. The average total cost of a data breach in the healthcare industry increased from US$9.23m in 2021 to US$10.10m in 2022. This is a 42% increase between 2020-2022 and means that healthcare is the highest cost industry, for the 12th year running.
It is clear that the healthcare sector has been identified as a key target for cybercriminals and the industry has to do more to defend itself from this threat.
The recent cyber attack highlights the nature of the threat
In August 2022, Advanced, a firm that provides digital services for the NHS, was the victim of a cyber attack. The software vendor provides services to 140 NHS trusts, including patient records with its Carenotes solution and patient referral (including ambulance dispatch and emergency prescription) with its Adastra software.
Health officials have indicated that services could be impacted for weeks, and potentially deadly medical errors and misdiagnoses are possible due to the supply chain attack.
This is just one recent example of how a breach in a healthcare organisation or within a healthcare supply chain can have potentially lethal implications. The very nature of the sector means that any impact on front-line services is devastating and can take weeks to solve.
It also shows that attacks against the sector are continuing and that there can be no complacency regarding cyber-defences.
Ransomware attacks against healthcare are increasing in number, cost and complexity
One of the main tactics used by cybercriminals in this sector is ransomware. This type of attack has been responsible for some of the most high-profile data breaches over the last year. It remains more expensive than the average cost of a breach, although slightly coming down from last year, it still comes in at US$4.54m per attack according to the report.
Perhaps more worryingly, the share of breaches caused by ransomware has grown since last year, up 7.8% from 2021 to 11% in 2022, a growth rate of 41%. This points to a real issue for organisations. Whilst any data breach is bad enough, ransomware attacks take more money and tend to be used in association with some of the most sophisticated attacks.
The State of ransomware in Healthcare 2022 showed that there had been a 94% increase in ransomware attacks against healthcare organisations during 2021. Other reports have backed this up. Only 2% of healthcare organisations that suffered a ransomware attack had their data returned.
Another telling statistic from this report was that 67% of healthcare organisations thought cyberattacks were becoming more complex.
The nature of the data held by healthcare organisations means that any breach can be disastrous. With the regularity, complexity and cost of ransomware attacks increasing, healthcare organisations have to do more to protect themselves, patients and front-line services.
A zero-trust approach is crucial for healthcare organisations
One positive from the Cost of a Data Breach report is that more companies are implementing a zero-trust approach to their cyber defences.
Zero-trust is where nothing inside or outside the corporate network is taken on face value. It wraps layered, proactive, AI -powered software around every user and every element in your infrastructure.
Those deploying zero-trust architecture grew from 35% in 2021 to 41% in 2022. The 59% that did not deploy zero-trust incurred US$1m more in breach costs on average. Those organisations with mature zero-trust deployments had even better savings, with, on average, about US$1.5m lower than those organisations at the initial stages of a zero-trust programme.
With attacks becoming more sophisticated (for example,, with social engineering), there is no longer room for assumption or guesswork within the healthcare sector’s cyber defences. Implementing a zero-trust approach means that nothing is taken at face value, helping to keep cybercriminals out and only allowing those with the right of access in.
Use of security AI and automation also increases
As with those companies implementing AI-powered zero-trust policies the use of other AI and automated solutions has also risen, with 70% now using such software, marking an 18.6% growth rate from 2020.
For those who had fully deployed AI and automation technology, breach costs were significantly reduced. They had US$3.05m less in costs compared to organisations with no AI or automation.
The ROI is very clear from this stat. Taking the responsibility away from one or two individuals and making cyber security an automated process means that an organisation is less likely to be breached and remain in line with regulation.
This type of technology is no longer restricted to large private sector enterprise-level companies. For healthcare organisations to secure data, reassure patients and staff, ensure adherence to regulations and protect frontline services, there has to be a real effort to identify and implement the best fit cyber defences. These are no longer ‘nice to have’, but an essential part of any healthcare organisation’s overall strategy.