The Cost of a Cyber Breach

5 stats from HC3 report show growing scope of cyber threats

March 08, 2022

A new report from the U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HC3) summarizes health care’s growing cybersecurity concerns and ways to prepare for cyber threats.

The report, released this month, highlights some of the recent cyberattacks on the global health care community and how data breaches can disrupt hospital operations and patient care. The report comes as hospitals and health systems are on alert for potential cybersecurity threats amid Russia’s invasion of Ukraine.

“Governments are increasingly aggressive in fighting back,” the report says. “Despite this, health care organizations have as big a role as ever in defending themselves.”

Here are five key numbers to know from the report:

• $18.6 billion:  The minimum cost of ransomware payments based on available data, with an estimated cost of more than $75 billion globally
• $9 million:  The per-incident cost for a data breach in the U.S., according to IBM. On average, health care breaches cost $9.2 million, a 30 percent increase from 2019
• 522,495:  The number of phishing attacks reported by Google during March 2020, a 350 percent increase since the beginning of the year
• $322,168:  The average ransomware payment from the 2021 fourth quarter, a 130 percent increase from the third quarter
• 11:  The number of consecutive years health care organizations have had the highest average costs associated with a data breach

“Moving through 2022 and beyond, situational awareness will continue to be more and more important,” the report notes. In response to the growing cybersecurity threat, the report recommends:

• Training employees about the ongoing threat through phishing campaigns
• Turning off remote access services where and when they are not needed
• Developing and aggressively maintaining enterprise asset inventory, including applicable vendor updates and alerts
• Understanding the value of what your organization has to offer to the adversary, such as patient records
• Operating with resilience in mind
• Thinking about how you could be compromised by your suppliers, vendors, business partners, customers, and service providers

The report is available to review online.

HAP continues to monitor trends in cybersecurity and provide updates and guidance to members. For more information, contact Jason Tomashunas, MS, CHEP, HAP manager, emergency management. John Riggi, the AHA’s senior advisor for cybersecurity and risk, also offers coverage and resources about health care cybersecurity.