← Back to Insights
August 30, 2023
David Burda
Economics Outcomes System Dynamics

Healthcare Cyberattacks: Real Money, Real Lives, Real Risks

I’ve never added up the time I spend each day fending off cyberattacks. Listening to and then deleting robocalls on my landline answering machine. Deleting spam emails on my laptop. Deleting suspicious texts on my smartphone. Deleting unwanted invitations on my social media channels.

It’s become ritualistic, and I bet it adds up to an hour or more each day as I’m always working on my phone, tablet or laptop. It’s tough enough doing your job without needing to swat away these attacks like flies buzzing around your head, waiting for you to walk away from your ham sandwich.

I’m just one person doing one job in one room. I can’t imagine what it’s like being the CEO of a hospital or health system with thousands of employees and thousands of patients in thousands of rooms.

Three recent developments drove home the seriousness of the cybersecurity threat facing healthcare. Not that the threat wasn’t real before. But it’s certainly getting real now.

In late July, IBM released its annual Cost of a Data Breach report. The 78-page report is based on data breach experiences at 553 companies or organizations in 16 countries across 17 industries. The average cost of a data breach in healthcare, which the report defined as hospitals and outpatient clinics, was $10.9 million this year, up 8.2% from $10.1 million in 2022. That was the highest of any of the 17 industries and more than double the $4.5 million average for all industries combined. $11 million per breach is some real money.

Earlier this month, The Joint Commission issued a seven-page Sentinel Event Alert on cyberattacks and patient safety, saying cyberattacks can have a “disastrous” effect on patients, causing care disruptions that could harm patients. The private accrediting body outlined seven recommendations for healthcare organizations like hospitals to minimize the risk of a cyberattack on patient safety. I’ve always thought of The Joint Commission as the Johnny-come-lately of patient safety. It never predicts an issue, is ahead of an issue or is in front of an issue. It’s always happy to wade in after everyone else is wet. Maternal mortality and health equity are two recent examples. But my point is this: If The Joint Commission is weighing in on cyberattacks and their risk to patient safety, it must be real as in real lives.

Also in August, researchers at the University of Texas at Dallas published an 88-page paper on how merger and acquisition activity by hospitals affected their risk of a cybersecurity attack. According to the paper, the risk of a cyberattack doubles in the two years surrounding a hospital consolidation. The probability of an attack was 6%, starting a year before a deal closed and running through the year after a deal closed.

The possible reasons for the increased risk included media attention about the deal, which attracted the attention of cybercriminals, and increased IT system vulnerabilities created by consolidating hospitals trying to integrate two separate IT systems. With hospital mergers and acquisitions activity still showing no signs of slowing down, that risk is real.

Real money. Real lives. Real risks. Cyberattacks are a market-altering phenomenon in healthcare.

All I have to worry about is a fake Amazon account suspending my purchases unless I update my account with new credit card information.

Thanks for reading.

To learn more about this topic, please listen to the March 30, 2023, episode of our 4sight Health Roundup podcast, “Ransomware, Cybersecurity and Healthcare,” on 4sighthealth.com.









About the Author

David Burda

David Burda began covering healthcare in 1983 and hasn’t stopped since. Dave writes this monthly column “Burda on Healthcare,” contributes weekly blog posts, manages our weekly newsletter 4sight Friday, and hosts our weekly Roundup podcast. Dave believes that healthcare is a business like any other business, and customers — patients — are king. If you do what’s right for patients, good business results will follow.

Dave’s personnel experiences with the healthcare system both as a patient and family caregiver have shaped his point of view. It’s also been shaped by covering the industry for 40 years as a reporter and editor. He worked at Modern Healthcare for 25 years, the last 11 as editor.

Prior to Modern Healthcare, he did stints at the American Medical Record Association (now AHIMA) and the American Hospital Association. After Modern Healthcare, he wrote a monthly column for Twin Cities Business explaining healthcare trends to a business audience, and he developed and executed content marketing plans for leading healthcare corporations as the editorial director for healthcare strategies at MSP Communications.

When he’s not reading and writing about healthcare, Dave spends his time riding the trails of DuPage County, IL, on his bike, tending his vegetable garden and daydreaming about being a lobster fisherman in Maine. He lives in Wheaton, IL, with his lovely wife of 40 years and his three children, none of whom want to be journalists or lobster fishermen.

Recent Posts

The Most Important Phone Call a Hospital or Health System CEO Will Never Make
I never watched an episode of Undercover Boss, but I’m not always part of the mainstream. The first… Read More
By June 12, 2024
System Dynamics
Hospitals Should Be Embarrassed by ONC’s Latest Interoperability Progress Report
If you think the lack of interoperability between healthcare providers isn’t a thing, check this out. A person… Read More
By June 5, 2024
Patient Access Is Having a Moment
The “access” in “patient access” is different than the third leg of the Access-Cost-Quality healthcare stool people have… Read More
By May 29, 2024