Healthcare Breach Trends: Analysis of the 2020 IBM & Ponemon Data Breach Report

Blog Post by Brian Selfridge, Partner at Meditology Services

Healthcare has once again topped the list of the highest average breach cost per industry segment according to the 2020 IBM Cost of a Data Breach Report [1]. The perennial data breach report is in its 15th year and is once again administered by the highly regarded Ponemon Institute.

Healthcare has been the top cost sector for breaches for last 10 years running, peaking at $10m per breach in 2018 and leveling back to $7.13m this year. Healthcare remains atop the costliest sectors for breaches, followed closely by the Energy and Financial Services industries.

Sources of Data Breach Costs for Healthcare Entities

The following categories were identified as the top sources of data breach costs for healthcare entities.

  1. Lost Business – this includes business disruption, clinical and operational downtime, lost patients/customers, and reputational damage
  2. Post Event Response and Remediation – this includes help desk calls, credit monitoring costs, identity protection services, legal costs, and regulatory fines
  3. Detection and Escalation – this includes forensics assessments, security risk assessments, crisis management, and internal and external communication
  4. Beach Notification – this includes emails, letters and calls to affected parties, regulatory response analysis and execution, and engagement of outside experts

The average time to identify and contain a breach was reported at 245 days across all industries. Healthcare is slower to respond and contain breaches with an average of 329 days. Living through a breach event for almost a year before containing it creates a massive distraction and disruption to the business, not to mention managing the remediation and clean up from the resulting fallout of the breach for years to follow.

Top Causes of Healthcare Breaches

Misconfigured cloud implementations were identified as the leading source of breaches. This represents a turning of the tide, as lost and stolen devices have historically achieved this top spot for the last decade. Cloud misconfigurations attained the top slot, though lost and stolen devices were a close second place. This data supports a trend that Meditology has previously identified as a top risk area for healthcare entities in 2020 and beyond. You can read more about Meditology’s Cloud Security Center of Excellence that we launched earlier this year in our related press release.

Vulnerabilities in third party software were also ranked as one of the most prominent breach sources. This is not surprising given the data presented earlier this year by the Office for Civil Rights in a joint presentation with Meditology’s CEO Cliff Baker that highlighted the shift in reported breaches and regulatory enforcement activities related to third party breaches in healthcare.

Malicious attacks were the listed as the dominant threat vector and source of breaches this year. Top sources of compromises from malicious attacks included compromised access credentials, cloud misconfigurations, and vulnerabilities in third-party software. Social engineering was surprisingly low at less than 3% of attack sources, which is a shift from prior years. Stolen or compromised credentials led to the most expensive breaches.

Most Effective Security Controls

Incident response preparedness was identified as the highest cost saving measure that organizations could take to reduce the overall dollar amount of a breach. Organizations with strong incident response plans and routine testing saved an average of a whopping $2m per incident. Some of the other most effective interventions included Business Continuity and Disaster Recovery (BC/DR) planning, red team penetration testing (i.e. ethical hacking), employee and workforce training, “extensive encryption”, and security analytics capabilities.

Organizations with security automation in place, defined as mature programs with Artificial Intelligence-capable security tools, also had substantial reductions in breach costs. Healthcare was one of the middle-tier sectors for industry adoption and deployment of security automation; at the top were Financial Services, Technology, and Communications.

Breach Cost Analysis

“Mega breach” incident costs were not included in the overall breach costs averages and were considered outliers that would skew the data. However, separate analysis of mega breaches in the report indicated that these large breach costs skyrocketed as well in 2020.

53% of attacks were conducted by financially motivated attackers, with nation state attacks being the costliest type of attack. Meditology has been tracking the trend of attacks on academic medical centers and research institutes from nation states targeted COVID-19 research in particular. More information on this trend is available in Meditology’s CyberPHIx Roundup Podcasts. Ransomware costs as a subset of attacks were also prominent attack vectors in healthcare and averaged $4.4m per incident.

The report outlined cyberliability coverage for common breach response activities. Cyberliability typically covered consulting and legal services, restitution to victims, regulatory fines support, recovery technology, and ransomware payment support. However, the report did not indicate how much of the overall breach cost was covered by cyber liability policies.

The findings also noted that the COVID-19 situation is estimated to add an average of $137k of breach costs per incident. This is due to the increased time to detect and contain incidents in remote workplace environments.

Who’s to Blame?

CISO’s were left holding the bag on breaches, unfortunately. The study found most organizations found the CISO to be most liable and responsible person for security breach, followed closely by Information Security Directors and VPs. Just below the security team in perceived culpability were the categories of IT leadership, “no one is to blame”, the CIO, CEO, and the Board.

The industry has made strides in recent years to elevate the profile of the Information Security function for the business. Apparently, that visibility has also brought accountability for CISOs right along with it.

Meditology’s Analysis & Recommendations
1.  Invest in Cloud Security Controls Immediately

Cloud security investments have become essential in 2020. A paradigm shift is currently underway for the migration of critical business functions in healthcare to cloud-hosted platforms and this related breach data is concerning. The ability to assess and secure third-party cloud platforms will soon become the paramount mandate for information security and risk programs

Healthcare entities need to pivot quickly to investing in cloud security risk assessments, cloud security strategic planning, penetration testing of cloud implementation, cloud vendor risk management, HITRUST and SOC 2 certification for cloud platforms, and retaining cloud security subject matter expertise in house or via external staff augmentation.

2.  Mature and Scale Your Third-Party Risk Management Program

Third-party risk management will continue to dominate healthcare enterprise risk vectors for years to come. The healthcare industry has begun to move critical business and clinical operations to the cloud including Electronic Health Records, finance and billing systems, and more. This means that information security risks for these business functions are becoming less focused on regulatory compliance and more driven by the availability and integrity of these essential systems used for the routine delivery of care.

3.  Small Investments in Incident Response Save Big Money

Those figures on the return on investment for incident response programs can’t be ignored. An average savings of $2m per breach is a pretty compelling reason to spend a little bit of time and budget on tuning up your incident response plan and conducting tabletop exercises.

These are some of the lowest cost interventions in your toolkit and have some of the highest dividends in return on investment for security program protection mechanisms. Healthcare entities with strong incident response capabilities must also remember that COVID-19 has changed the equation. Remote work models will likely result in increased time and cost to detect and contain incidents. Make sure you get a tabletop exercise conducted this year to learn how to respond effectively to incidents with a remote workforce and leadership team.

4.  Perform Routine Penetration Testing

The IBM report noted that routine pen testing saves an average of $243k per breach. This represents another relatively lower cost intervention that yields a high return on investment. The bad guys are clearly out to exploit misconfigurations in cloud platforms and other network and application vulnerabilities; healthcare entities would do well to discover those security weaknesses before the attackers find them.

5.  Mind Your Credentials

Passwords remain the dominant authentication mechanism despite innovations being developed for identity management and access. Healthcare entities must continue to invest in securing sensitive access credentials including multi-factor authentication, privileged access management solutions, phishing protections and workforce training, and strong password and authentication management.

Want to learn more? Take a look at our Analysis of Healthcare Breach Trends | Insights from the 2020 IBM/Ponemon Report infographic for some quick stats and recommendations.



[1] 2020 IBM Cost of a Data Breach Report

Most Recent Posts
SOC 2 + CIS Controls Read More
A Cybersecurity Professional's Guide to HIPAA-Compliant Online Tracking Read More
SOC 2 + HIPAA Examination Read More