But then again, that number could be far smaller than the true figure, because it only accounts for the cases that are reported (and not for cases that impact less than 500 people).

"A lot never get reported," say Mark Weatherford, chief cyber security strategist at vArmour. "That's not endemic of the health care industry, because it happens everywhere. And it happens for a lot of reasons."

Health care's specific security needs

vArmour is a data center and cloud security company, focusing heavily on health care as well as other industries. The company brought on Weatherford in November 2015 to continue its endeavor to thwart would-be cyber criminals. Meg McCarthy, former executive vice president of operations at Aetna, was appointed to the company's board the same month to provide insight into health care's specific security needs.

Sometimes the lack of reporting is because organizations aren't immediately aware of a breach, and once they encounter it, they remediate it themselves and move on rather than reporting, says Weatherford.

Related: What are the leading causes of data security breahces?

"In the case of Anthem, [the breach] impacted stock price, company morale, the ability to bring in new clients and customers," Weatherford says. "The finance industry found this out in the early 2000s — data breaches mean customers go elsewhere. So, the rationale for health care providers is to not make this data public."

But not reporting has its own serious consequences. When patients aren't made aware of a hack or breach, but then suddenly can't receive care or begin receiving random bills for services, the fallout can be can disastrous, says Weatherford.

Unlike other hackable industries such as finance, health care organizations have not ramped up investments to account for strong IT security measures.

Keith Stewart, vice president of strategic markets and business development at vArmour, says, "The health care industry is in an awful space pinched between two forces. They are underfunded and under-focused on this problem, which is a painful combo."

Weatherford agrees, saying that despite being on the forefront of cutting edge technologies, the health care sector has some serious catching up to do when it comes to investing in security. "You can make an easy case that what [health care] is trying to protect is more important, because it's their clients' most sensitive information," he says.

Yet, health care security measures have fallen short and if something isn't done soon, more cyber attacks are on the horizon. That means more impacted patients and more financial damages.

The financial burden

With the expansion of electronic health records (EHRs) and the growing use of the Patient Protection and Affordable Care Act (PPACA) online marketplaces, amongst other technological advances in the health care sector (think increasing use of wearables and data sharing), the health care field has never been as exposed as it is today.

Research from a 2012 Ponemon Institute survey says that 94% of hospitals surveyed had suffered a data breach, estimating the total cost of handling these incidents at $7 billion a year. That's not far off from the actual $6 billion figure the Workgroup for Electronic Data Interchange (WEDI) attributed to damages and costs caused by cyber attacks on health care in the 12 months leading up to the June 2015 publication of its paper "Perspectives on Cybersecurity in Healthcare."

$142,689,666 expenditure 

Looking at cyber security from a compliance point of view, several health care organizations could find themselves on the wrong end of HIPAA fines after a breach. But those fines won't be the biggest cause of financial concern.

According to the 2013 Ponemon "Cost of a Data Breach" report, mediating a breach costs in the range of $233 per comprised health record. When you add in other expenses — legal actions, new security investments, protection services, etc. — that's when the final numbers can really add up. Just ask WellPoint, the company Anthem bought back in 2004.

When the WellPoint breach exposed 612,402 people's health information, HIPPA issued a fine of $2 million. Manageable for a major corporation, right? Well, according to a SANS report, that $2 million fine quickly turned into a $142,689,666 expenditure after all was said and done.

In other instances, breaches go unnoticed entirely.

Why now?

But why are cyber criminals suddenly interested in medical data? According to WEDI, formed in 1991 and appointed in 1996 as the IT advisor to HHS, personal health information is more valuable than credit card numbers on the black market. The heightened value of health data — credit card information fetches $2 a record versus health data's $20 — on the black market is perpetuated by the increased amount of personal information that can assist in identity theft, but also because security breaches are often harder to catch and mitigate in health care. In other words, some stolen health data will be sold before anyone even notices it's missing.

And hackers aren't just stealing data anymore; they're holding it hostage.

"Ransomware is becoming an epidemic," Weatherford says. "Health care has been hit harder than anyone by ransomware and there have been very public events."

Related: Businesses and their insurers face threat from ransomware

Ransomware is a type of malware that can be installed on computer systems, restricting access until a ransom is paid.

Weatherford says that, until now, because of ransomware's lack of sophistication, many organizations have opted to pay the relatively low ransom rather than struggle to contain the problem internally. Ransomware attacks are usually intended for quick payoffs, not long-term damage to an organization.

Price is going up

But now, the price is going up, according to Weatherford. While ransomware hackers used to ask for sums somewhere in the range of $300 to $400, a recent ransomware attack saw Hollywood Presbyterian Hospital pay $17,000 in bitcoin ransom to regain control of its system. And that figure doesn't account for the lost revenue the hospital suffered when its system was offline during the debacle.

In May, Kansas Heart Hospital in Wichita, Kansas was also the target of a ransomware attack. Unlike Hollywood Presbyterian though, giving into hacker demands proved fruitless when the cyber criminals didn't restore access to the hospital's systems. Instead, they just asked for more money.

Although hospital President Dr. Greg Durick said patient information was never at risk and hospital operations weren't affected, this sets a dangerous precedent. While health care providers may want to quell any threat by playing ball, there is no guarantee today's cyber criminals will stick to the rule book.

And why would they? With health care providers lacking the necessary resources to thwart or even contain hacks (a Symantec study says 52% of surveyed hospital IT specialists allocate 0% to 3% of its budgets to security endeavors), cyber criminals are the ones dictating the terms, not the institutions tasked to save lives and protect patient information.

IoT adds opportunity

Add in the introduction of the Internet of Things (IoT) — a network of physical devices that are connected and able to communicate through software — and modern health care is teeming with opportunity, both for providers and cyber attackers.

Results from the 2014 SANS "Securing the Internet of Things Survey" says that the health care and pharmaceutical sectors will be among those that experience the highest level of near-term deployment and use of IoT devices. Because of this, cyber criminals are gearing up to find new ways of using IoT to expand their potential target points.

Christian Renaud, IoT research director at 451 Research, says that although hospitals have been slow to evolve in the past, IoT can help with the industry's tedious tasks, like paperwork and filling in EHR gaps.

Because IoT is still in its early stages, says Renaud, knowing where the vulnerabilities lie may be problematic. That said, in order to embrace the benefits of IoT and avoid some of its shortcomings, businesses need to transform.

Ability to detect a sophisticated attack

"Last quarter, the number one barrier for adoption of IoT was organizational change, not the technology," he says.

Organizational change means the retraining of staff to adequately adapt to the technology in order to avoid user error, a top reason for security problems says Renaud. Today, plenty of organizations are deploying IoT trials, but the main concern has shifted to security — a worry that is specific to health care.

That worry is warranted, in health care and beyond. An EY report notes 70% of the most commonly used IoT devices contain vulnerabilities, and 56% of survey respondents say it is "unlikely or highly unlikely" that their organization would be able to detect a sophisticated attack.

Although this data shouldn't divert from the potential breakthrough medical advances IoT can achieve, it does invoke uneasiness when considering the possible security ramifications. The two aren't mutually exclusive, which can blunt some of the excitement surrounding IoT's health care applications.

The EY report also states, "While the IoT is entering daily life more and more, security risks pertaining to IoT are growing and are changing rapidly. In today's world of 'always on' technology and not enough security awareness on the part of users, cyber attacks are no longer a matter of 'if' but 'when.'"

Raising the bar

In order for health care to lessen the blow of cyberattacks, changes must happen — and soon. Weatherford says "mom and apple pie stuff" like patching systems, educating users, and using offline backups of data are easy ways for the health care industry to take strides in the right direction.

"The criminal element goes where the pickings are easy and where they can monetize best," Weatherford says. "As we raise the bar in health care, the criminal element will look somewhere else. They'll never go away, but by raising the bar just a little bit, it's like the bad guy rattling your door knob, noticing it's locked, and moving on."

Both Weatherford and Stewart agree that at this juncture, health care either doesn't have or isn't allocating the necessary resources to combat growing cyber security threats. Still, Weatherford says HIPPA and the HITECH Act also need to do more regulatory work to "raise the bar" for health care security.

"Regardless of what happens in the regulatory arena, breaches in the health care industry in the last 12 months are making security a board room conversation," says Stewart. "This is ultimately about protecting critical patient data and maintaining quality of service and trust in health care. No board will disagree with that statement. They just need to get the resources in line."

But getting to that point, Stewart says, "it's going to take longer than we'd like." 

Related: Data breaches continue to increase, according to figures from Beazley