Across all industries, health care faces the largest financial toll from cyberattacks, losing an average of $10.1 million for every data breach that occurs, according to IBM's Cost of a Data Breach 2022 report.

3 steps to (finally) address your cybersecurity 'elephant in the room'

The high cost of data breaches

For the report, IBM collected national data from more than 550 organizations worldwide across several industries, including health care, technology, hospitality, and education, between March 2021 and March 2022 to analyze the impact of cyberattacks.

Overall, IBM found that the average cost of a data breach worldwide was $4.35 million, the highest to date. Similarly, the average cost of a data breach for critical infrastructure organizations, such as those in technology, transportation, energy, or health care, was $4.82 million—around $1 million more than the average in other industries.

In the United States, the average cost of a data breach was even higher, reaching $9.44 million in 2022. After the United States, the Middle East ($7.46 million), Canada ($5.64 million), the United Kingdom ($5.05 million), and Germany ($4.85 million) had the highest costs for data breaches.

Across all industries, health care was the most significantly affected by data breaches, with each breach costing companies an average of $10.1 million. This is roughly a 10% increase from the average cost of a breach for health care companies in 2021 and a 42% increase from the cost in 2020.

According to Sher Baig, who works in global cyber commercialization at GE Healthcare, large hospitals can lose up to $50 million in a single quarter due to cyberattacks. Some of these losses may even be large enough to force some hospitals out of business.

The other industries in the top five include financial, pharmaceuticals, technology, and energy, whose breach costs range from $4.72 million to $5.97 million.

Why hospitals are more vulnerable to cybersecurity attacks

According to Limor Kessem, a principal consultant in cyber crisis management for IBM's Security X-Force, health care organizations are more vulnerable to cybersecurity attacks because of their complex technology infrastructures. Many organizations also run outdated programs on devices they use every day, which exacerbates the problem.

In a survey of 517 hospital leaders from Cynerio, a cybersecurity company, many leaders reported experiencing multiple attacks if their systems had already been hit before. Overall, 11% of respondents said their health care systems were attacked 25 or more times.

IBM's report also found that highly regulated industries like health care typically take longer to recover from data breaches compared to organizations that are less regulated. Generally, it can take a health care organization more than 10 months to recover from a data breach.

In addition to financial costs, some cyberattacks can affect patient care and potentially cost lives if medical systems are affected. Among the cyberattacks studied by Cynerio, almost a quarter resulted in higher patient mortality because lifesaving medical treatments were disrupted.

"Attacks that take place in real time cause direct losses to hospitals, which have to reroute patients, deny care, lose access to electronic health records and see the risk to human lives rise as a result of the attack," Kessem said. "That's on top of staff distress and having to revert to manual procedures and paperwork."

Overall, hospital leaders need to have a defense plan against cyberattacks in place not only to prevent financial losses but also to avoid potentially endangering patients if critical systems go down.

"I highly recommend having an incident response plan, a team in place to carry out the response, and drilling that plan to improve over time," Kessem said. "A special playbook for ransomware cases can not only save costs for the hospital—about 58% of the breach’s cost—but it can also save lives." (Neber, Crain's New York Business/Modern Healthcare, 8/9; IBM Cost of a Data Breach 2022 report, accessed 8/10)