Health care topped the 17 sectors analyzed for the IBM Security 2021 Cost of a Data Breach Report. ("1:29 PM" by Dana Beveridge is licensed under CC BY 2.0)

The average cost of a data breach in the health care sector tops $9.23 million, the highest of all 17 sectors analyzed for the IBM Security 2021 Cost of a Data Breach Report. Meanwhile, a new CynergisTek report shows 76% of providers are failing to secure their supply chains, one of the sector’s biggest blindspots.

The 17th annual IBM report is conducted independently by the Ponemon Institute, which studied 537 real breaches across 17 countries and 17 different industries, including the health care sector. 

Researchers found data breaches cost the health care sector 118% more than the global average of just $4.24 million per breach. When broken down, a provider can expect to pay $180 per each compromised patient record containing personally identifiable information.

IBM also found the 25% of health care entities that operate with fully deployed security automation saw cost savings of $1.34 million compared to the global average cost of a breach. Those entities with incident response teams coupled with incident response testing saw an average cost savings of $2.34 million, compared to those without.

The data confirms that effective, proactive security measures can support return on investment when compared to the overall costs of security incidents.

Also notable, the IBM report shows health care has a significant lag time in detecting and containing a threat when compared to other sectors. Most organizations took an average of 212 days to detect and 75 days to contain a threat.

In health care, however, most entities took an average of 241 days to detect and 94 days to respond to a threat.

As for the primary cause behind data breaches, malicious attacks caused 52% of health care-specific incidents, followed by 24% tied to human error and 24% tied to system glitches. Compromised credentials remain the leading cause of data breaches. IBM researchers stressed that the compromised credentials used in combination with leaked personal data could be used in further attacks.

The data points echo CynergisTek’s new “Maturity Paradox: New World, New Threats, New Focus” report, compiled from nearly 100 assessments of health care providers’ security postures against the NIST Cybersecurity Framework (CSF).

CynergisTek found supply chain management was the least mature category assessed and second-lowest scoring area, even among those entities with high-performing security programs that have significantly improved in the last four years.

On average, the assessed providers scored 2.7 out of 5 on supply chain management, which reiterates the ongoing challenges health care and, frankly, all U.S. organizations are facing in identifying and addressing supply chain risks. CynergisTek researchers noted that a score of 3 is deemed acceptable, and just 23% of providers barely passed on supply chain security.

What’s worse, not even high performers achieved scores above a 3.

The stats can be confirmed with SC Media data, which found 60% of the 10 largest health care data breaches this year were caused by vendor-related incidents. CynergisTek notes that part of the challenge in managing third-party vendors is a lack of processes able to validate whether connected partners are actually meeting security standards outlined in contracts.

The effects of these security blindspots can be seen in all sectors, with the attacks on SolarWinds, Kaseya, Microsoft Exchange, Accellion, and other major vendors. As a result, “it's clear that this is not the right time to cut back on cybersecurity,” said David Finn, CynergisTek executive vice president, in a statement.

“Smart spending will be necessary to secure organizations against a rising tide of ransomware threats against critical infrastructure generally, and health care specifically,” Finn added. “As we ride out the remainder of 2021, it's within your power to ensure that the economic impacts of the digital transformation on your organization are net positive – assuming you make the right, proactive decisions to protect your assets, patients, and environment now.”

CynergisTek provided a number of recommended focus areas for providers to support proactive security measures, including the need for routine exercises and practice drills to test all components of the enterprise that can be used to create a response playbook.

Further, health care organizations need to prioritize securing the supply chain, which should include an assessment of current investments and a detailed plan on how to quickly remediate any vulnerabilities based on a full risk assessment of third-party vendors’ access and data in their possession.

Jeff Reichard, senior director of enterprise strategy at Veeam, recently told SC Media that use of the NIST CF and guidance from the Healthcare & Public Health Sector Coordinating Council provides health care entities with clear security advice.

“It’s critical that industry stay involved in driving better security practices and demonstrating leadership," said Reichard. “Ransomware adversaries not only steal and encrypt data, but now they threaten to corrupt data in place. It’s critical that healthcare providers know they have backups of all critical data that cannot be changed, even if an adversary gets administrative credentials.”