Scroll Top

Healthcare IT Spending Increasing Due to Attacks on HIPAA Data


Healthcare spending in the U.S. — which is the highest among developed countries — accounts for 18 percent of the nation’s gross domestic product, or about $3.5 trillion, according to the Centers for Medicare & Medicaid Services, and that figure is projected to soar over the next decade.

Rising cyber-attacks on healthcare has been due to outdated IT systems, fewer cybersecurity protocols and IT staff.  Healthcare Data is valuable to hackers and due to the need for medical practices and hospitals to get services back up and running leads the industry to pay ransoms quickly to regain data and get back to providing services.

The insider threat is the number one security challenge for hospitals, according to a recent survey.  More than half of insider incidents in healthcare involve the theft of customer data due to its value on the Dark Web about $100.00 per record.

Healthcare will suffer 2-3X more cyberattacks on average which is much higher than other industries. Why? Inadequate security practices, weak and shared passwords, plus vulnerabilities in device code, exposes hospitals to hackers’ intent on hacking the treasure troves of patient data.

Healthcare Breach Statistics (HIMMS):

  • As of November 30th, 2022, OCR settled or imposed a civil money penalty in 126 cases resulting in a total dollar amount of $133,519,272.00 or $1,059676.76 per case
  • A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015)
  • Ransomware attacks on healthcare organizations are predicted to quadruple in 2023 

Potential Threats to Healthcare in terms of Concern (HIMMS):

The U.S. Department of Health and Human Services (HHS) Breach of Unsecured Protected Health Information lists 592 breaches affecting 500 or more individuals’ data that are currently under investigation by the Office for Civil Rights. 306 of the breaches were submitted in 2020.

A recent HIMSS Cybersecurity Survey showed that nearly 60 percent of hospital representatives and healthcare IT professionals in the U.S. said that email was the most common point of information compromise.

The number one way to cut costs is to prevent a breach. Once one has happened, hospitals must be able to identify it as soon as possible and then be able to respond to it.

The first thing that’s needed for systems large and small is a risk assessment. This is the first thing the OCR wants to see. Many hospitals use an outside vendor to do the job.

The cost of a healthcare breach is about $408 per patient record and that doesn’t include the loss of business, productivity, reputation, and the service disruption.

Gartner predicts that 25% of breaches will come from IOT devices.

60 percent of medical devices were at end-of-life stage, with no patches or upgrades available.

 Healthcare IT Spend Statistics?

 Increased spending on IT and especially Cybersecurity is needed

  • 4% to 7% of a health system’s IT budget is in cybersecurity, compared to about 15% for other sectors such as the financial industry
  • In 2021 Healthcare IT Budget Spend survey shows that the percentage of the budget dedicated to cybersecurity are as follows (Statista):
  1. 18% of respondents said 1 – 2 percent of budget is dedicated to cybersecurity
  2. 22% of respondents said 3 – 6 percent of budget is dedicated to cybersecurity
  3. 15% of respondents said 7 – 10 percent of budget is dedicated to cybersecurity
  4. 42% of respondents said no percent was carved out

Change in Cybersecurity Budgets 2020 to 2021 (HIMMS):

Impact if Cybersecurity Budget Increases 2020 to 2021 (HIMMS):

Something to keep in mind HHS´ Office of Civil Rights will consider the efforts and due diligence the Covered Entity has made to prevent unauthorized disclosures when calculating what penalties to impose.  Often Healthcare entities can prove that there isn’t any negligence; however, if the individual whose PHI has been illegally disclosed brings a civil action against the Covered Entity, a court may not take the same view.


Related Posts

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.