Global healthcare sector bleeds $11m per breach amid rising cyberattacks

Joy Agwunobi

The first three quarters of 2023 saw an alarming escalation in cyberattacks targeting the healthcare sector, with an average of 1,613 attacks per week, nearly quadrupling the average number of attacks observed across all sectors. This surge in cyberattacks has had devastating financial consequences, with the average cost of a breach in the healthcare sector  hitting $11 million per breach, three times higher than the global average across all sectors.

This has resulted in the healthcare sector being the costliest sector for cyberattacks, putting a heavy burden on healthcare organisations as they strive to maintain their systems’ security, according to a recent report by KnowBe4, a leading provider of security awareness training and simulated phishing platforms.

The report, titled “Hacked Healthcare: A Global Crisis in Cybersecurity” highlighted the alarming state of the cybersecurity crisis within the healthcare sector that is  particularly affecting hospital groups worldwide and how cybercriminals are increasingly targeting this critical sector.

The KnowBe4 report  uncovered a global healthcare cybersecurity crisis, with healthcare facilities across Africa, North America, Europe, Asia, and beyond all  struggling with similar challenges. Ransomware attacks  was identified as the most prevalent and successful type of cyberattacks on healthcare organisations over the past two years, accounting for about 70 percent of all successful attacks.

The report also exposed a widespread security vulnerability that spans across all sectors, with the majority of cyberattacks beginning with phishing or social engineering tactics.

According to the report, between 79 percent and 91 percent of all cyberattacks begin with these tactics, which enable cybercriminals to gain unauthorised access to accounts or servers. This initial infiltration can then serve as the entry point for more severe breaches.

KnowBe4 also pinpointed healthcare and pharmaceutical organisations as some of the most susceptible to phishing attacks, with employees in large organisations in these sectors having a 51.4 percent likelihood of falling victim to a phishing email.

According to the report, Africa stands out as the region with the highest average number of weekly cyberattacks per organisation in 2023, with an average of 1,987 attacks. Moreso, one in every 19 organisations in Africa is seen to have experienced an attempted attack every week, an increase of  seven  percent over 2022.

The report also underscored the lack of digital security infrastructure in Africa, a region where the priority has been on developing reliable electricity and internet connectivity to support business growth. As a consequence, the report reveals that approximately 90 percent of African businesses are operating without proper cybersecurity protocols, exposing them to a range of cyber threats such as hacking, phishing, and malware attacks.

KnowBe4 explained that hospitals have emerged as highly attractive targets for ransomware attacks due to the unique combination of factors that make them vulnerable. These factors include the extensive patient databases and sensitive information, as well as the interconnected systems and equipment that hospitals rely on, which provide a wide range of entry points for cybercriminals.

The fragility of these systems is further compounded by poor cybersecurity measures, making hospitals easy prey for cybercriminals who can seize control of entire hospital networks, potentially gaining access to sensitive health information, financial data, and insurance information.

Stu Sjouwerman, CEO of KnowBe4, noted that the healthcare sector remains a prime target for cybercriminals seeking to exploit the life-or-death scenarios hospitals encounter. He added that with patient data and critical systems often held hostage, many hospitals feel compelled to pay exorbitant ransoms.

According to Sjouwerman, the challenge can be disrupted by prioritising comprehensive security awareness training. He also stressed the importance of empowering employees and fostering a positive security culture as effective defence against phishing and social engineering attacks..