Organizations in the healthcare sector face particularly acute cyber threats. They confront unique risks due to a range of factors — from the huge amount of sensitive data they store to the perception that they are lucrative targets for ransomware gangs. Cybercriminals recognize that there are many vulnerabilities in the healthcare sector, which has led to a surge in cyberattacks.
Data breaches and other cyberattacks on healthcare organizations aren’t just capable of inflicting a severe financial blow to victims; they can also interrupt the delivery of life-saving medical treatment to patients in need and compromise critical information for millions. This is one reason cybercriminals target the sector — they recognize that they can coerce organizations into paying a ransom if patients’ health is on the line. While security leaders and teams at healthcare organizations are aware of these threats and have taken steps to mitigate them, the number of successful breaches in the sector demonstrates that more must be done to keep patients safe.
There are many ways to protect patients and data from cyberattacks, such as system-wide security assessments of devices and networks, a focus on third-party risk (including vendors and software security), and cybersecurity awareness training for staff. CISOs and other security leaders at healthcare companies must remind their colleagues and organizational leadership that cybersecurity is everyone’s responsibility. With so much at stake, it’s vital for every organization in the sector to provide their security teams with the resources and support to establish a culture of cybersecurity.
The healthcare sector is under assault
While cyberattacks are becoming increasingly damaging and difficult to repel for companies in all industries, the healthcare sector has been hit particularly hard in recent years. According to IBM’s latest Cost of a Data Breach Report, the average cost of breaches in the sector is far higher than any other — $10.9 million globally versus an overall average of $4.45 million. Over the past three years, the cost of a healthcare data breach has skyrocketed by more than 53 percent, well above the average increase of 15 percent in all industries.
Earlier this year, Change Healthcare suffered a major cyberattack which led to one of the largest medical data breaches of all time. The company is responsible for between one-third and a half of all healthcare transactions in the United States, which means millions of Americans’ sensitive health data was stolen. Change Healthcare later admitted that the breach affected a “substantial proportion of people in America.” The stolen data includes insurance information, health records, billing data, and sensitive personal information such as Social Security numbers.
Beyond the massive breach, the Change Healthcare cyberattack caused large-scale disruptions of payment and prescription processing, which delayed access to medication and care for many people. The attack had particularly devastating consequences for small clinics and health providers, nearly one-third of which said they could not make payroll due to the financial impact. The American Medical Association reported that many of these clinics faced the possibility of closure. The attack on Change Healthcare was a stark reminder that the healthcare sector remains a top target for cybercriminals.
Assessing unique cyberthreats in healthcare
There are several reasons the healthcare sector is a magnet for cybercriminal activity. First, there’s the value of the data that’s collected, processed, and stored by healthcare providers. Second, hospitals, clinics, and other organizations in the sector are under immense pressure to get networks and systems running after operational disruptions, as failing to do so will impede access to care and can even be life-threatening. Third, the healthcare sector has undergone sweeping digitization in recent years, a process that’s accelerating with the deployment of AI and medical technology.
Despite the profusion of healthcare cyberattacks, organizations in the sector are struggling to meet this challenge. Healthcare organizations only spend around 6 percent of their IT budgets on cybersecurity, though this proportion is on the rise. While the healthcare sector is increasingly focused on cybersecurity, the surging number of breaches indicates that the cyber threat landscape has gotten the better of us. For example, the growing reliance on electronic health records, diagnostic tools, and patient-facing digital resources like telemedicine has given cybercriminals far more attack vectors to exploit. COVID-19 accelerated the digital transformation in healthcare, and it’s clear that cybersecurity hasn’t evolved quickly enough to meet this challenge.
In many cases, it only takes one entry point for cybercriminals to shut down entire healthcare systems. At a time when healthcare companies are increasingly dependent upon highly interconnected digital networks, it has never been more important to ensure that all potential attack vectors are guarded.
Preventing a new wave of healthcare cyberattacks
Security leaders in the healthcare sector recognize that they confront more cyberthreats than ever before. In 2023 alone, healthcare breaches in the United States affected 134 million people. Over the past five years, there has been a 264 percent spike in ransomware incidents, and the cost of data breaches in the healthcare sector continues to increase more rapidly than in other industries.
Healthcare companies need distributed defenses capable of providing robust cybersecurity across the entire attack surface. This is why effective cybersecurity awareness training is more important than ever — cybercriminals often use social engineering to manipulate employees into providing critical information or access, and this problem is particularly urgent in the healthcare sector. Chris Callahan, regional director of the Cybersecurity and Infrastructure Security Agency (CISA), explains that the “biggest risk sector is employees.” Phishing is by far the most common initial attack vector in the healthcare sector, which means many employees don’t know how to recognize and prevent social engineering attacks.
Organizations in the healthcare sector can take immediate action to address the threat of social engineering. Employees can be trained to identify phishing messages and other cyberattacks in progress. For example, cybercriminals often rely on psychological vulnerabilities such as fear and obedience to manipulate their victims, and well-trained employees can recognize when a message is coercive or threatening. Employees should also be using the most effective cybersecurity tools, such as password managers, VPNs, and multi-factor authentication. When they notice something suspicious, there should be clear reporting channels — and nobody should be punished for making a mistake as long as they report it.
While internal cybersecurity awareness is critical, security leaders in the healthcare sector also need to think more broadly. Patients must follow the proper cybersecurity protocols when they provide sensitive information or log into their accounts. Third-party partners and other links in the healthcare supply chain need to have awareness training programs and other security mechanisms in place. CISOs must regularly conduct system-wide assessments of their cybersecurity posture. And those at the very top of every healthcare organization need to provide their security teams with the resources and support they need to do the job. By adopting a comprehensive approach to cybersecurity, organizations in the healthcare sector can start to turn the tide against the cybercriminals who are waging war on them.
About Zack Schuler
Zack Schuler is the Executive Chairman and Founder of NINJIO, a leading Cybersecurity Awareness Training company. With over 1,000,000 viewers a month, NINJIO empowers employees at some of the world’s largest organizations to protect themselves against cyberthreats and scams. Prior to NINJIO, Zack founded Cal Net Technology Group, an I.T. Consulting and Security firm in 1995. Zack grew Cal Net into one of the larger MSPs in Southern California before selling the company to a private equity firm in 2013. He holds a B.S. from California State University Northridge and has served on the boards of charitable groups supporting children’s causes, opportunity & empowerment, and education.