A data breach within a health care system could cost in excess of $10 million—more than in any other sector—according to a new report.
The cost is on the rise, up about $1 million from last year. The uptick is partially due to increasingly integrated technology systems.
The report, released by IBM at the end of last month, collected national data from more than 550 organizations across industries from March 2021 to March 2022, analyzing how cybersecurity attacks impact organizations. Breaches within the health care sector have cost companies $10.1 million per breach, a nearly 10% increase from last year and a 42% increase from 2020. The average cost of a critical infrastructure data breach globally in any industry was just under $4.5 million.
Financial organizations experience the second-most-expensive breaches, at nearly $6 million per breach, IBM reports.
Cyberattacks can happen in many different ways, said Limor Kessem, a principal consultant in cyber crisis management for IBM’s Security X-Force. Destructive attacks and ransomware attacks—wherein hackers disrupt a hospital’s technologies, for example, and ask the hospital to pay a ransom in order to get access back—are disruptive as well as costly.
“Attacks that take place in real time cause direct losses to hospitals, which have to reroute patients, deny care, lose access to electronic health records and see the risk to human lives rise as a result of the attack,” Kessem told Crain’s. “That’s on top of staff distress and having to revert to manual procedures and paperwork.”
The stakes are particularly high for New York hospitals. According to industry standards, on average every bed in a hospital uses 15 devices that are often interconnected, including monitors and IV pumps, according to Chad Holmes, a product specialist at Cynerio, a cybersecurity company on the Upper West Side. A 1,000-bed hospital could have 15,000 devices that could all be impacted by an attack, he said.
“If a city like New York lost access, that would be really bad for ERs and could have a really bad cascading effect,” Holmes said. If patients had to be diverted from a city health system location but all sites were impacted by a breach, it could have a domino effect, he said.
Health care organizations are more vulnerable to cybersecurity attacks than other systems are because hackers know they are impacted more when technologies aren’t working, Kessem said. Such downtime costs organizations financially, but it also can cost lives if medical systems are disrupted.
The complexity of the technology infrastructure health care systems tend to use also makes them more vulnerable to attacks, Kessem said, and many organizations run outdated programs on devices they use every day, exacerbating the issue.
According to IBM’s report, highly regulated environments such as health care systems wind up paying for data breaches for longer compared with less-regulated industries. Typically a health care organization can take more than 10 months to recover from a data breach.
Cynerio released a report last week that shows hospitals typically have to pay $250,000 to $500,000 to recover access to their technology after a ransomware attack, and there is no real way to recoup those costs, Holmes said. The firm asked 517 hospital leaders about the frequency of attacks; leaders reported that once their system was hit, they got hit many more times afterward. Overall, 11% of the time, health care systems were attacked 25 or more times.
Almost a quarter of cyberattacks Cynerio studied led to increased patient mortality, Holmes said, because attacks disrupted lifesaving medical treatment.
Sher Baig, who works in global cyber commercialization at GE Healthcare, said big hospitals can see losses of up to $50 million in a single quarter because of cyberattacks. The losses are so large they could force hospitals out of business, Baig said, punctuating the need for hospital leaders to have a defense plan in place.
“I highly recommend having an incident response plan, a team in place to carry out the response, and drilling that plan to improve over time,” Kessem said. “A special playbook for ransomware cases can not only save costs for the hospital—about 58% of the breach’s cost—but it can also save lives.”
IBM has released annual reports on the cost of data breaches for nearly two decades. —Jacqueline Neber
August 9, 2022: This piece previously spelled Sher Baig's name incorrectly. His last name is Baig, not Baiz.
The NYC Health + Hospitals board of directors has allowed the Office of Ambulatory Care and Population Health to award contracts with a zero-dollar immediate value to six firms that would provide Covid-19 testing for any future emergencies.
The six vendors each received a two-year contract to provide testing on an “as needed” basis by the city, following the vote last week by the H+H board. The contracts avoid the need to allocate emergency procurement dollars today by setting up financial commitments from the city to vendors based on the need that arises for testing in any Covid-19 outbreaks.
The vendors were chosen following a six-month request-for-proposals process that began in March. Fifteen companies submitted bids. The six vendors will be managed by existing H+H, Office of Ambulatory Care and Test & Trace Corps staff, at no additional cost to the city. All six met city criteria of having at least five years of business in public health testing and experience in deploying health services in an emergency response scenario.
The city said it has worked with four of the six previously. Of the other two, Centena Health had provided the city only with informal coordination work, while Elevation Health currently carries an inactive community testing vendor contract and a subcontract for CIC Health school testing.
The firms are expected to abide by MWBE subcontracting commitments of 30% utilization rates, though Elevation Health is an MWBE itself. Each of the vendors attached MWBE subcontractors to their bid; the companies are expected to utilize the MWBE businesses during the life of the two-year contract.
“For the vendors that we’ve worked with, which are nearly all, they are using subcontractors that they’ve been using previously,” said Chris Keeley, assistant vice president at the Office of Ambulatory Care. “These vendors are carrying forward what has become a successful model of hitting their 30% or greater targets.”
Dr. Theodore Long, senior vice president for ambulatory care and population health and executive director of the NYC Test & Trace Corps, delivered testimony prior to the vote.
“While in the past we’ve done routine testing through community testing sites,” Long said, “we know from omicron there could be a need in the future where we need to drastically surge up our testing capacity.”
He emphasized the city is seeking to create a roster of prequalified vendors that understand the operational expectations, cost structures and reporting obligations in the event of future Covid-19 surges.
He said Dr. Mitchell Katz, president and CEO of H+H, would work with the Office of Management and Budget and the H+H board to fund Covid-19 testing based on the nature of the emergency.
Long provided some future pricing models based on earlier Covid-19 surge scenarios. A scenario such as last summer’s Delta surge would cost the city $75 million for the contracted services, he said, while a surge similar to the winter’s omicron outbreak would cost $26 million.
If it turns out the contracts are not activated, because there is no Covid-19 emergency in the next two years, “there’d be no cost incurred,” Long added.
Expenses are all covered under the T2 memorandum of understanding between OMB and H+H—which is to be extended beyond current expiration dates, Long said.
The contracts begin this month. —Brian Pascus
Organon, a pharmaceutical company in Jersey City that specializes in women’s health therapeutics such as contraceptives, reported $1.5 billion in revenue for the second quarter, a dip of less than 1% from last year’s second quarter, according to the company’s latest financial documents.
The company’s total revenue was down 0.6% overall, while revenue from women’s health products dipped by a little more than 2%, to $408 million. Revenue for biosimilar drugs—ones that are almost exactly like those made by other companies—increased 38%, to $119 million.
Revenue from Organon’s established brands dropped by nearly 3%, to a little more than $1 billion. Other revenue, which includes manufacturing sales to Merck, which spun off Organon in June 2021, dropped by almost 15%, to $40 million. Revenue for the first six months of this year increased by nearly 2%, to $3.15 billion.
Organon’s gross margin for the quarter was 62.9%, a dip of nearly 1%.
According to Organon, because it is now a standalone, publicly traded company, it does not consider its profitability for the quarter to be comparable to last year’s.
Expenses grew by just over 12% from the second quarter of 2021. Organon spent $588 million on sales, a nearly 1% increase. General and administrative expenses rose nearly 2%, to $423 million. Research and expenses grew by nearly 40%, to $106 billion.
Chief Executive Kevin Ali attributed increased expenses to the company’s investments in research and development, including entering into a license and supply agreement with a Shanghai biotech firm for biosimilar drugs.
Operating income was $234 million, down nearly 46%, and net income after taxes was $234 million. The company’s net earnings per share was 92 cents, almost a 45% decrease.
The results have led Organon to slightly adjust its expected revenue for the year, from between $6.1 billion and $6.4 billion to between $6.1 billion and $6.3 billion.
Organon did not respond to a request for comment. —J.N.
Researchers at New York University have cast doubt on whether telehealth creates increased efficiency for physicians compared with traditional in-person care.
A new paper authored by a group of researchers at NYU’s Stern School of Business, Grossman School of Medicine and Tandon School of Engineering argues that telehealth increases the after-hours work burden for physicians.
The researchers concluded that across three distinct time periods in the first year of the Covid-19 pandemic, telehealth delivery was correlated to work-outside-work, or WOW, on a per-appointment basis. The study defined WOW as time spent on work-related tasks outside of clinical hours.
“The assumption was that telehealth makes things more efficient and good for patients, and so it could be convenient and efficient for providers,” said Batia Wiesenfeld, a management professor at Stern who led the study. “That’s not the case.”
Using data from 2,129 physicians at NYU Langone Health from January to August 2020, the researchers examined the impacts of telehealth work—defined as health care services via telecommunications—on physicians’ after-hours workload, particularly electronic health record–based activities.
The researchers found that physicians who more frequently used telehealth had higher levels of electronic health record–based WOW.
The research pointed to structural handicaps. Wiesenfeld noted that traditional health care delivery has an entire support system for in-person care, but those same supports aren’t built in for telehealth.
“The nursing staff, the medical assistants, the whole infrastructure that goes along with in-person visits has not been built out for telehealth,” she said, “so the doctors are doing everything.”
Wiesenfield, who has examined virtual work since the late 1990s, said she has noted a burnout crisis among health care providers.
“If telemedicine increases the after-hours work burden, it might exacerbate this worrisome trend,” she said.
Even in the after-acute pandemic phase, in which overall appointments declined, the decrease in average WOW for physicians was due to a decline in caseloads rather than any benefits or efficiencies created by telemedicine, the study noted.
The results come after more than two years of the Covid-19 pandemic, during which telehealth has grown considerably. NYU Langone, the study’s setting, offered only limited telehealth services prior to the pandemic, and telehealth for primary care services was not available. The hospital scaled up its telemedicine abilities at the outbreak of the pandemic to include primary, ambulatory specialty practice and urgent care. Its virtual health system experienced an 8595% increase in monthly telemedicine visits between February and April 2020, according to the study.
The paper said that prior to the pandemic, some studies in clinical care had identified potential benefits to telehealth, including improved access to underserved locations, lower costs and greater convenience.
The study referenced research conducted on the effect of telework in other professions to better understand the impact of telehealth on physicians’ efficiencies. The researchers said telework studies in engineering, consulting and software development have found that some workers credit telework for increased job satisfaction and greater work-life balance.
But the researchers also pointed to studies that documented some negative effects of telework in such industries, notably reduced career development and feelings of lower confidence and energy due to a lack of engagement with colleagues.
“Learning from other industries, where telework is more established, can help identify areas of need and opportunity in future telemedicine to help enhance the end results for both patients and health care workers,” Wiesenfeld said.
The paper is expected to be published in the Journal of Medical Internet Research. —B.P.
NOW HIRING: Health care employers added just under 70,000 jobs to the sector last month, Modern Healthcare reported Friday, more than 13% of hires across the economy. Ambulatory care providers added the most jobs at just over 47,000; hospitals added just under 13,000 jobs and dentist offices made just under 10,000 hires, almost triple the hires they made in June. Only other ambulatory services providers cut jobs in July. The health care sector has added more than 380,000 jobs so far this year.
NEW ACQUISITION: Flatiron-based employer brokerage firm Nava is acquiring health care benefits company i2 to enhance its ability to help employers in the tristate area with their health care costs, Nava reported today. This is the firm’s first acquisition. The company closed a $40 million Series B in June.
SENIOR SERVICES: The city’s department of social services has awarded Bronx-based nonprofit Fordham Bedford Community Services just under $1.5 million to provide tenant services for seniors living in affordable housing in the Bronx, the City Record reported Monday. Fordham Bedford, which was established in 1980, provides property management services to distressed or unsafe buildings and also works to preserve community housing.
WHO'S NEWS: The "Who's News" portion of "At a Glance" is available online at this link and in the Health Pulse newsletter. "Who's News" is a daily update of career transitions in the local health care industry. For more information on submitting a listing, reach out to Debora Stein: [email protected] .
CONTACT US: Have a tip about news happening in the local health care industry? Want to provide feedback about our coverage? Contact the Health Pulse team at [email protected]
Staying current is easy with Crain's news delivered straight to your inbox, free of charge. Click below to see everything we have to offer.
Don't miss the chance to get the biggest news first! Stay connected to New York business news in print and online
Crain’s New York Business is the trusted voice of the New York business community—connecting businesses across the five boroughs by providing analysis and opinion on how to navigate New York’s complex business and political landscape.
685 Third Avenue New York, NY 10017 (212) 210-0100