Various reports suggest that the average cost of a healthcare cyberattack hovers around $10 million. While that’s a significant number, the real figure could be upwards of 200 times larger. Factoring in the loss of critical IT systems, lawsuits and regulatory fines, hits to consumer loyalty, and other factors, we estimate that the potential impact of a major cyber event could reach into the billions. That’s not hyperbole. Last year’s Change Healthcare breach is now estimated to cost UnitedHealthcare Group $2.9 billion in direct remediation, payments to providers, and disruption to services. And that’s just for the company’s 2024 financials.
Viewing the Change Healthcare incident as an outlier is arguably a mistake. Similarly, focusing solely on the amount of ransomware demand or the specific impact on the operations of a hack is shortsighted. Cyberattacks have a lasting effect across the healthcare system more broadly, stretching from the primary target to vendors and, ultimately, patients.
The problem is only getting bigger as consolidation continues to sweep across the industry. Mergers, acquisitions, partnerships, and alliances increase vulnerabilities. One study found that the likelihood of a breach doubles the year before and the year after a hospital merger closes. Simply put, an organization is only as strong as its weakest link.
It’s more important than ever that cybersecurity becomes an integral part of due diligence, whether that’s for M&A, contracting with a new vendor, or launching a digital tool. It is the responsibility of the C-suite and Board to make that happen.
Understanding how cybercriminals get in
Organizations typically start paying the most attention when an attack is detected and reported. But a sequence of events unfolded long before that point. Cyberattacks don’t happen in a vacuum and are not technology issues alone. Recognizing how the dominos fall is crucial.
1. Trigger event: The announcement of a merger, acquisition, or partnership spikes interest among cybercriminals. Launching a new venture, such as a digital tool or a new leadership structure, can also create vulnerabilities. Bad actors often seize these opportunities to test an organization’s systems, data architecture, and access points.
2. Penetrating defenses: Cybercriminals have become extremely sophisticated and use multiple methods to infiltrate an organization, including phishing attacks and exploiting weak multi-factor authentication. Artificial intelligence, especially generative AI, is becoming another weapon in their arsenal, allowing them to create targeted and refined phishing attacks, for instance. Subsidiaries, business associates, and other vendors can act as a backdoor into a network. Vulnerable points of entry include everything from patient monitoring devices to the seemingly innocuous HVAC system. As noted above, weaknesses also arise before and after an acquisition is finalized and before technology systems are fully integrated. According to an IBM survey of security leaders from multiple industries, more than 30% of executives at acquiring organizations reported experiencing a data breach during integration, while one in five faced a breach after the process was completed.
3. Biding their time: Once inside, hackers can remain undetected for extended periods, gathering intelligence on the organization’s systems and defenses. The global median dwell time — the number of days an attacker goes undetected — in 2023 was 10 days, according to a Google Cloud report. Nearly 28% of intrusions went unnoticed for up to 30 days and 22% went unnoticed for up to six months.
4. The attack: Once an attack is fully recognized and appreciated, it is likely too late. The consequences can be dire, ranging from stolen patient information, which can sell for 10 times the rate of credit card numbers on the black market, to bugs that cripple operations. A ransomware attack at Ann & Robert H. Lurie Children’s Hospital of Chicago last year stretched on for five months before access to the electronic health record system, patient portals, and other systems was restored.
Attack consequences
The ramifications of a cyberattack extend beyond immediate financial losses. Leaders must be aware of the broader implications and understand how costs can quickly add up.
Operational impacts: Organizations might face permanent data loss due to inadequate backup measures or faulty encryption. Additionally, clinicians may have to revert to paper-based workflows, impacting everything from documentation and coding to prescribing, as was the case at Lurie Children’s in Chicago. Other attacks, like WannaCry in 2017, directly impact medical devices in hospitals. Financial consequences: The financial implications of a breach can be staggering. Ransomware payments alone can be sizeable, averaging $9.5 million in healthcare last year. Nearly 60% of healthcare organizations paid more than the original ransomware demand, according to one study, trailing higher education at 67%. One payout for an undisclosed company reportedly hit $75 million. Additionally, class action lawsuits in healthcare have resulted in settlements hitting as much as $115 million. Operational downtime can cost organizations between $100 million and $2 billion, depending on the severity of the disruption.
Regulatory costs: Several federal and state laws govern cybersecurity and contain stiff penalties for a violation. Healthcare entities can be fined between $50 and $50,000 per exposed record under HIPAA. While there’s an annual cap, penalties can extend out for multiple years. Organizations are also fined if they fail to report a breach to federal regulators in a timely manner. Based on our experience, we estimate that regulatory compliance costs can range from $10 million to $200 million, depending on the complexity of the breach and the regulatory landscape.
Reputational damage: The reputational damage resulting from a cybersecurity incident can be long-lasting with consumers losing faith and trust in an organization. In fact, 66% of consumers in one survey indicated that they would not trust a brand that fell victim to a cyberattack. Reputational damage also extends to investors and markets. Healthcare companies saw the largest drop in share prices following an attack, ahead of finance and manufacturing, according to an analysis for New York Stock Exchange listed companies. Across industries, it can take nearly two months for stock prices to regain their pre-breach levels.
The importance of due diligence
With the stakes being so high, it is imperative for healthcare executives to conduct thorough due diligence, especially during M&A. This includes evaluating the cybersecurity strengths and weaknesses of potential partners, understanding their data protection measures, and their response time. Strong vendor management practices are also essential.
Getting a comprehensive view of a potential partners employee training program is also important. Staff need to not only be regularly trained to recognize phishing attempts and other social engineering tactics, but organizations must foster a culture of accountability in safeguarding sensitive data.
Before entering M&A negotiations or another trigger event, leaders must establish a strong cybersecurity governance framework. That framework should become an integral part of an organization’s overall strategic plan. The risks of inaction to the organization and patients are too great to overlook.