Healthcare pays the highest price of any sector for cyberattacks — that's why cyber resilience is key

The healthcare industry has become the prime target for cybercriminals due to the vast amount of sensitive patient data it holds and the criticality of its operations.

The sector has been rapidly adopting digital technologies such as electronic health records (EHRs), telemedicine and Internet of Things (IoT) devices. While these technologies bring numerous benefits, they also expand the attack surface, providing more entry points for cybercriminals.

In 2023, for the 13th year in a row, the healthcare industry reported the most expensive data breaches, at an average cost of $10.93 million, which is almost double that of the financial industry, which came second with an average cost of $5.9 million. Protecting these digital assets is essential to maintaining the confidentiality, integrity and availability of patient information.

Modern healthcare relies on interconnected systems and networks for efficient delivery of services. The interconnected nature of these systems means that a security breach in one part of the network can potentially compromise the entire healthcare infrastructure. Ensuring cyber resilience is essential for maintaining the continuity of operations and preventing cascading failures. Cyberattacks on healthcare systems can have direct implications for patient safety.

Disruption of critical healthcare services, manipulation of medical records or unauthorized access to medical devices can put patient lives at risk. Cyber resilience measures are essential to safeguard patient safety and prevent harm.

But they are also an existential risk to healthcare organizations. This was demonstrated in June 2023, when St. Margaret's Hospital in the US became the first healthcare institution to permanently cease operations due in part to the fallout of a ransomware attack. In the same month, HCA Healthcare — which operates 180 hospitals and 2,300 ambulatory sites — was breached, affecting as many as 11 million patients.

Between January 2020 and February 2021, of the 293 breaches known to have exposed health records, 57.34% of the affected organizations have publicly disclosed how many records were exposed. The number of records exposed in this period reached a total of nearly 106 million records. So, barring duplicates, the equivalent of 1 in 3 Americans may have had their health record breached in the 14 months that were analysed.

In 2015 Anthem Inc. disclosed that hackers had stolen 79 million records containing patients and employee data. Compromised data included names, addresses, Social Security Numbers, birth dates, medical IDs, insurance membership numbers, income data and employment information. Anthem faced several civil class-action lawsuits, which were settled in 2017 at a cost of $115 million.

Healthcare providers hold a position of trust in society. The extraordinary degree of sensitivity of the data, and the high degree of public expectations towards the sector, means that any compromise of patient data or disruptions in services erode this trust and can damage the reputation of healthcare organizations. Cyber resilience is essential for maintaining the confidence of patients, partners and the public.

The convergence of increased cyber threats, the digitization of healthcare, interconnected systems, patient safety concerns, regulatory requirements, financial implications and the importance of maintaining public trust collectively underscore the critical need for cyber resilience in the healthcare sector.

Given the criticality, scale and inter-connectedness of the healthcare industry, it is clear that no single organization or government entity can tackle the issue of cybersecurity alone. A collaborative and systemic approach within the ecosystem is key — cyber resilience must be viewed beyond just the confines of any one organization.

Public and private sector collaboration is crucial for building cyber resilience in the healthcare industry. Taking a systemic approach to cybersecurity involves recognizing that the healthcare ecosystem is an interconnected network of organizations, technologies and individuals. Building cyber resilience requires not only protecting individual entities but also ensuring the robustness of the entire ecosystem to withstand and recover from cyber incidents.

During the Cyber Insecurity, Analysed workshop at this year's Annual Meeting in Davos, leaders focused on three key priorities: Educating boards and engaging leadership on the importance of cyber resilience; building relationships and communities between organizations to secure the ecosystem; and developing an industry playbook that includes shared practices amongst the different stakeholders.

These findings are relevant to the healthcare industry and will directly contribute to making it more cyber resilient.

But across other industries, too, there are resources available to bolster cybersecurity. The World Economic Forum’s Cyber Resilience Initiative across industries enhances resilience by:

Cyber Resilience in Electricity

Cyber Resilience in Oil and Gas

Cyber Resilience in Manufacturing

Cyber Resilience in Cities

Cyber Resilience in Transportation

Cyber Resilience in Aviation

Cyber Risk and Corporate Governance

The World Economic Forum Centre for Cybersecurity’s objective is to support every individual and organization to securely benefit from ongoing digital and technological progress.

The Centre for Cybersecurity provides an independent and impartial platform to reinforce the importance of cybersecurity as a strategic priority and drive global public-private action to address systemic cybersecurity challenges. The Centre welcomes organizations from the private sector, public sector, civil society, academia and international organizations who can share expertise and thought leadership to build a more resilient future.