The 19th annual “Cost of a Data Breach Report” released by IBM reveals that, for the 14th consecutive year, health care organizations faced the highest costs associated with data breaches compared to any other industry. In 2024, it cost an average of $9.77 million for a health care organization to contain a data breach, despite a slight decrease of over 10 percent from the previous year. Health care has maintained this top position since 2011, with data breaches in this sector costing significantly more than the average of $4.88 million across all industries. Additionally, health care organizations took the longest time, nearly 300 days, to identify and control data breaches, highlighting the slow response times faced by this industry.
Health care’s vulnerability to cyberattacks is a major factor contributing to the industry’s higher data breach costs and slower response times. Brendan Fowkes, the global industry technology leader for health care at IBM, notes that attackers target health care organizations due to the sensitive nature of the industry, as patient lives are at risk in addition to data. The complexity of health care IT infrastructures, coupled with limited staff to manage them, also creates challenges in promptly addressing data breaches. While only half of data breaches in health care were caused by internal shortcomings, human error, IT failures, and malicious attacks were key factors contributing to breaches. Phishing, compromised credentials, and cloud misconfiguration were identified as the most common vectors for data breaches in the health care sector.
Despite the challenges faced by health care IT departments, there are strategies that organizations can adopt to better prepare for and respond to data breaches. Fowkes recommends implementing cybersecurity and cyber-resilience strategies, such as role-based access controls, data masking, tokenization, and leveraging new technologies like AI and automation for protection against cyberattacks. The report found that organizations utilizing AI and automation tools detected and contained incidents nearly 100 days faster than those that did not, resulting in cost savings of approximately $1 million. However, only one-third of health care organizations are currently using security AI and automation extensively, indicating room for improvement in this area to enhance data breach response capabilities.
In addition to adopting cybersecurity measures, it is crucial for health care organizations to have proper incident response plans in place to efficiently notify affected stakeholders, including patients and regulatory agencies, in the event of a data breach. With a record-breaking 133 million health care records breached in 2023, the potential impact of data breaches on patient privacy and financial security is significant. Fowkes emphasizes the importance of planning and practicing response protocols in advance to ensure readiness for potential data breach incidents. Establishing AI governance controls for new technologies like generative AI, which are increasingly being used in clinical settings, is also recommended to mitigate security risks and protect sensitive data.
Overall, the findings of the IBM report underscore the critical need for health care organizations to prioritize cybersecurity and data breach response readiness. By implementing a comprehensive approach that combines advanced technologies like AI and automation with effective incident response planning, health care organizations can strengthen their defenses against cyber threats and minimize the financial and reputational damages associated with data breaches. As the frequency and sophistication of cyberattacks continue to evolve, proactive measures to enhance cybersecurity resilience are essential for safeguarding patient data and maintaining trust in the health care sector.
