Data Breaches Cost Hospitals $4B Annually

By Jack O’Brien

The total cost of data breaches at healthcare organizations is projected to reach $4 billion by the end of 2019, according to a Black Book survey released Monday morning.

Nearly all information technology (IT) professionals at provider organizations believe that data hackers are outpacing organizational efforts to protect sensitive healthcare data, a trend which is expected to worsen in 2020.

Ninety-three percent of healthcare organizations reported a data breach in the past three years and 57% of respondents said their respective organizations experienced more than five data breaches over the same period of time.

For 2019, respondents estimated that data breaches cost organizations $423 per record.

Additionally, provider organizations continue to be the most targeted organizations for cyberattacks, according to Black Book, accounting for nearly 80% of attacks. Respondents indicated that over half of data breaches were caused by an external party.

There have been several high-profile data breaches at hospitals around the country in recent months, including a breach in mid-June at Massachusetts General Hospital that affected nearly 10,000 people and a “data security incident” at Presbyterian Healthcare Services that affected around 183,000 patients.

Most recently, DCH Health System had to temporarily stop accepting patients due to a malware attack that affected its computer systems.

Despite the rise of cyberattacks on hospitals in recent years, most IT professionals said that budgets have not increased to keep up with the demands to protect patient data.

For hospital IT budgets, cybersecurity accounts for 6% of the annual spend but provider organizations have onlyt set aside less than 1% of their fiscal year 2020 budgets for cybersecurity.

The Black Book survey also pointed to a lack of focus from hospital leadership on overseeing cybersecurity decision-making, with only 4% of organizations implementing a steering committee to account for cybersecurity investments. Just over one-fifth of hospitals reported having a “dedicated security executive,” while only 6% reported having a leader with the title of ‘Chief information security officer.’

Jack O’Brien is the finance editor at HealthLeaders, a Simplify Compliance brand.