The healthcare industry holds undesirable distinctions when it comes to cybersecurity.
According to a new report released today by IBM, the average cost of healthcare data breaches is once again surpassing all other industries. The annual report on the cost of violations shows that the average medical data breach costs $7.42 million. This is the 14th consecutive year that healthcare data breaches have been ranked as the most expensive in any industry.
The average cost of health data breaches fell compared to last year's report. This brings the average price to $9.77 million. Two years ago, the average price was $10.93 million.
Limor Kessem, global leader in cybercrisis management at IBM Consulting, tells Chief Healthcare Executive® that lower average costs are encouraged.
“This is a good surprise, but it's still a sector that's beyond the rest of the sector and suffers from data breaches,” she says. (Learn more about the conversation in this video. The story continues below.)
The gap between the costs of health data breaches and other industries remains large. The global average cost of data breaches covering all industries was $4.44 million, or about $3 million less than the cost of data breaches in the healthcare sector. This is the first time in five years that the average global cost of a data breaches has fallen.
Still, the decline in the average cost of healthcare data breaches reflects potentially positive developments as more organizations use AI tools in their cybersecurity plans, says Kessem.
“Overall, we're talking about more use of AI, more use of automation, and more use of AI to become more mainstream in more security operations,” Kessem said. “In that sense, I think it's paying dividends. It's much faster than an organization, it just contain it, detect it, do it, and the less time you do things, the more money you save.”
The healthcare industry took longer to detect violations than other sectors.
On average, healthcare organizations required 279 days to identify and contain violations. This is more than five weeks longer than the global average for all sectors, the report says.
The lower average cost of healthcare data breaches suggests that attackers are also targeting smaller healthcare providers. Industry leaders say small hospitals and clinics are becoming more frequent targets for ransomware groups.
Attackers are chasing these small organisations for very obvious reasons, in that they have security budgets, security tools and security staff.
AI-equipped attack
Healthcare organizations use AI to enhance their defense against cyberattacks, while Ransomware Group is also using this technology.
“AI does good for everyone. It does good for security teams. It's for organizations, for people's productivity, for everyone,” Kessem says. “That includes attackers who can build better phishing very quickly.”
Years ago, several attackers were troubled by typos and used clunky languages, so they sent emails that made it easy to find suspicious things, but ransomware groups are sending more refined messages that look more authentic. Attackers are using AI to create more persuasive emails.
“They just tell AI LLM to build a reliable story,” Kessem says. “There are no mistakes or funny syntaxes. They can make it faster in any language.”
And this is worth noting because the healthcare industry has proven to be very susceptible to phishing attacks. “By the way, for the healthcare sector, phishing was the top attack vector that attackers accomplished,” Kessem says.
Ransomware Group uses AI tools to develop software and permeate organizations.
“They can write malware without knowing how to write them. Get the code, make sure it works, and continue. They're doing things faster,” says Kessem.
For attackers who have a certain level of proficiency in writing code, AI tools can help them work faster, she adds.
While more health systems are adding AI technology, the IBM report also shows that many organizations are not developing governance policies for these solutions. The report found that almost two-thirds of organizations that have been violated do not have a governance policy for AI tools or are still working on developing a policy. Even among organizations that adopt AI governance policies, only 34% say they run regular audits of unauthorized AI.
More AI vulnerabilities
Perhaps most disastrous, IBM reports show that some attacks include AI models or organizational applications. This is a fairly small number, with 13% reporting violations linked to AI models. However, almost all (97%) of those who reported such violations had no proper access controls.
“AI is coming and everyone is in a hurry to really innovate. They really want to be the first. They don't want to be left behind. They don't want to delay,” Kessem says. But too often, she says that companies don't adopt adequate governance strategies.
“It's an overall problem that continues to grow,” Kessem says.
Kessem says there is an increasing vulnerability to “Shadow AI” violations, where employees use preferred AI tools that are not approved by the organization. And the organization has not tracked these uses.
“I think this shadow AI is a big deal because people tend to do it without thinking, just want to speed up their work, just get things done, and that's what happened,” Kessem says.
According to an IBM report, only 37% of five organizations report a violation related to Shadow AI, with one in five organizations saying they have a policy to manage or find it.
Companies with higher use of Shadow AI also had more costly violations. The breach costs for these organizations were $670,000 higher than organizations with little or no Shadow AI, the report says.
With increasing use and vulnerabilities related to AI, Kessem says there could be bigger, more damaging cyberattacks in the near future.
“I think AI will make cyberattacks bigger,” Kessem says. “I think by next year, we'll be seeing something completely different here.”
