Last Updated: March 25, 2024
There’s no doubt about it: cyberattacks are one of the biggest threats to your facility.
With the increasing reliance on electronic health records (EHRs), telemedicine, and interconnected medical devices, healthcare organizations are prime targets for cybercriminals seeking to exploit vulnerabilities for financial gain or to disrupt critical services.
As a leader in your organization, it’s essential for you to understand the landscape of medical cybersecurity — what the threats are and where your vulnerabilities lie — and the measures you need to take to safeguard sensitive patient data and ensure the integrity of healthcare operations.
How common are cyberattacks in the healthcare industry?
Cyberattacks on healthcare organizations occur alarmingly often, and they’re only becoming more common. In 2023, 725 healthcare data breaches of 500 or more patient records were recorded, meaning almost two occurred every day. Just five years ago, this figure stood at 3691.
2023 was also the worst-ever year for breached healthcare records, with more than 133 million being exposed during attacks. This represents an increase of 156% from 2022 and means an average of 373,788 healthcare records were breached every day2.
These statistics only cover successful cyberattacks, and there are many thousands more that are unsuccessful. When it comes to the likelihood of your healthcare facility being targeted, you should consider it a matter of when, not if.
Why do cybercriminals target healthcare organizations?
There are multiple reasons why bad actors are motivated to attack healthcare organizations. The primary reason, though, is financial. Patient health information is incredibly valuable on the black market. Medical records contain a treasure trove of personal data, including Social Security numbers, medical histories, and insurance information, making them lucrative targets for identity theft and fraud.
Another key reason is the high vulnerability of many facilities. Healthcare organizations often have complex I.T. infrastructures comprising old, legacy systems that may have outdated security protocols or software. This makes them an attractive target for cybercriminals looking for easy entry points to infiltrate networks and retrieve sensitive data or deploy ransomware. The nature of life within a healthcare organization also presents an opportunity. In an often hurried and stressful environment, it’s easier for staff to let their guard down and fall foul of phishing attempts or download a malicious file.
What are the biggest cybersecurity threats in healthcare?
1) Ransomware Attacks: Ransomware attacks have emerged as one of the most prevalent and disruptive threats to healthcare organizations. In a ransomware attack, cybercriminals encrypt critical data or systems and demand payment for decryption keys, effectively holding healthcare operations hostage until their demands are met.
HHS reports that ransomware attacks have increased by 278% over the last four years3. In 2023, more than 630 ransomware attacks impacted healthcare organizations worldwide, with over 460 of them impacting the U.S. health and public health sector4.
Ransomware attacks may not always result in a ransom being paid, but they can still be incredibly damaging. On May 9, 2023, Norton Healthcare discovered it had fallen victim to a cyberattack, which it later determined was ransomware. They identified the breach two days after it began on May 7, and started restoring their systems from backups on May 10. While Norton Healthcare didn’t pay the ransom fee, during those crucial 72 hours, sensitive data on 2.5 million people was exposed5.
2) Phishing and Social Engineering: Phishing attacks, where cybercriminals masquerade as trusted entities to trick employees into divulging sensitive information or clicking on malicious links, remain a pervasive threat in healthcare. Social engineering tactics prey on human error and can bypass even the most robust technical defenses.
In September 2023, it was reported that the healthcare industry was experiencing a 167% increase in advanced email attacks, which included business email compromise (BEC), credential phishing, malware, and extortion6.
One such attack in 2023 impacted Welltok, a reputable patient engagement organization. Using social engineering tactics to break through secure access points, a hacker exposed the personal health information of over 8 million Welltok users7.
3) Insider Threats: While external threats often gain more attention, insider threats pose significant risks to healthcare cybersecurity. Typically, these threats originate from former employees, contractors, vendors, or partners with legitimate user credentials that misuse their access to steal data or sabotage systems. However, these threats may also stem from inadvertent actions by well-meaning employees that unintentionally expose sensitive information.
A study into data breaches in healthcare organizations from 2009 to 2017 showed that 25% of breaches were caused by unauthorized access by insiders8.
What are the biggest cybersecurity vulnerabilities in healthcare?
1) Legacy Systems and Outdated Software: Many healthcare organizations continue to rely on legacy systems and software applications that may lack ongoing support or security updates. These outdated systems are inherently more vulnerable to exploitation by cybercriminals, who can take advantage of known vulnerabilities to gain unauthorized access.
2) Interconnected Medical Devices: The rapid rise of internet-connected medical devices, from infusion pumps to MRI machines, has introduced new cybersecurity challenges for healthcare facilities. These devices often run on outdated operating systems and may lack robust security controls, making them susceptible to compromise and potential patient safety risks.
3) Third-Party Vendors and Supply Chain Risks: Healthcare organizations often work with numerous third-party vendors and service providers, each of which represents a potential cybersecurity risk. Weaknesses in vendor security practices or supply chain dependencies can expose healthcare facilities to indirect threats and compromise sensitive data.
4) People: Though not specific to the healthcare industry, one of the largest cybersecurity threats faced by any organization is their own staff. Whether it’s weak passwords stored incorrectly, failing to logout or lock machines, or a habit of clicking on unfamiliar emails and links, the behavior of those within healthcare organizations can pose a huge security risk.
How do we prevent cyberattacks?
1) Implement Robust Security Measures: Implementing a comprehensive cybersecurity framework is a great place to start. Using tools like encryption, multi-factor authentication, and network segmentation can protect your sensitive data and critical systems from unauthorized access.
To ensure your cybersecurity measures remain effective, you must conduct regular security assessments, preferably on an annual basis. Penetration testing will also help you to identify and address potential vulnerabilities before they are exploited by cybercriminals.
2) Educate and Train Employees: Human error is often the weakest link in cybersecurity defenses. To counter this weakness, you should prioritize employee training and awareness programs to educate your staff about the latest phishing tactics, social engineering techniques, and best practices for safeguarding sensitive information. By fostering a culture of security awareness, you empower your employees to recognize and report suspicious activity promptly, before any damage is done.
3) Stay Vigilant and Be Proactive: Cybersecurity is an ongoing process, not a one-time fix. Remaining vigilant against emerging threats and continuously monitoring your I.T. infrastructure for signs of compromise will help you to maintain strong defenses. By staying informed about the latest cybersecurity trends and investing in proactive threat intelligence, you can stay one step ahead of cybercriminals and mitigate potential risks before they escalate into full-blown attacks.
An Example of the Importance of Cybersecurity
Cybersecurity is no longer something your facility can put to one side; it must be a top priority. The ransomware attack on Change Healthcare in February 20249 demonstrated how attractive data-rich healthcare organizations are to hackers, and how sophisticated cybercriminals are becoming10. It’s also a prime example of the damage that cyberattacks can inflict — within the healthcare industry11 and on the organization’s finances and reputation.
As cybercriminals become more sophisticated, so does cybersecurity and the options available to organizations to protect themselves. It’s a dynamic recently highlighted by I.T. and cybersecurity expert Tom Cunningham, who says healthcare organizations require “a new level of vigilance” as they sit “both at the forefront of innovation and on the brink of extreme vulnerability.”
If your organization’s cybersecurity measures need to be assessed or you already know an upgrade is necessary, CNECT can help. We provide our members with access to cybersecurity specialists, as well as discounted rates on their services and support. One such expert, Jake Reynolds, Director of Offensive Security Services at All Covered, recently answered our members’ burning questions about cybersecurity in healthcare, demonstrating the knowledge he and his team can provide to support your facility.
If you’d like a professional to improve cybersecurity within your healthcare organization, contact the CNECT team today.
Sources
1 https://www.hipaajournal.com/healthcare-data-breach-statistics/
4 https://www.hhs.gov/sites/default/files/ransomware-healthcare.pdf
5 https://www.cybersecuritydive.com/news/norton-healthcare-ransomware-attack/702140/
6 https://abnormalsecurity.com/blog/healthcare-organizations-email-attacks-2023
7 https://chartrequest.com/social-engineering-examples-healthcare/
9 https://www.techtarget.com/whatis/feature/The-Change-Healthcare-attack-Explaining-how-it-happened