Blog Post
December 8, 2023 | Cybersecurity education
The healthcare industry’s top cybersecurity risks
With contributions from Jane Harwood.
The healthcare sector faced an average of 1,684 attacks per week in the first quarter of 2023, making it the third-most targeted industry behind research and military. The industry is a growing target for cyberattackers—and it's no secret why.
Between private practices, treatment centers, medical equipment manufacturers, labs, specialized clinics, and long-term care facilities, the industry offers cybercriminals a breadth of targets.
But the scope of opportunity isn't the only reason cyberattacks are more costly and common than ever.
Why is the healthcare industry targeted?
Four major factors make the healthcare industry an appealing target for cybercriminals.
Valuable personal information
Healthcare providers hold personally identifiable information, medical records, and the billing details of their patients. This valuable data is a hot commodity on the dark web, as criminals may use it for identity theft, health insurance fraud, and other schemes.
A recent Senate white paper notes that personal health information is worth more on the black market than credit card information, fetching hackers anywhere from $10 to $1,000 per record.
Healthcare providers often create and store medical research and intellectual property as well, both of which are valuable, particularly to cyber espionage groups.
High likelihood of demands
Those in the healthcare industry may be more willing to oblige attacker demands to restore operations quickly and minimize consequences. While a few hours of downtime at a retailer may lead to relatively minor repercussions such as lower-than-usual sales, making patient records inaccessible for any amount of time could cause a life-or-death situation. In fact, 24% of hospitals report a rise in mortality rates after a cyberattack.
This is why 42% of healthcare organizations pay the ransom to recover their data, as opposed to 28% of businesses across industries. Financially motivated attackers aware of these statistics target medical practices because of the higher guarantee to receive payment.
Open, shareable data
Healthcare information must be open and shareable so on-site and remote staff can collaborate on patient data–but it’s important to consider the security implications here. A Sensors article on modern healthcare data security noted that there is a need to “balance the security and privacy challenges of opening data sources with the potential benefits of open data for improving research and healthcare delivery.”
Healthcare firms also need to integrate with a variety of third-party and fourth-party vendors for their operations—15.5 on average. These companies have some access to patient data but may not meet the same security standards, offering cybercriminals targets that are easier to exploit.
Difficult to secure
The final reason is that healthcare institutions have vast threat surfaces that make them notoriously hard to secure. Hospitals, clinics, and other treatment centers adopt new technology regularly to provide the highest standard of care. Smart medical equipment and cloud-based services certainly help drive efficiency and better patient outcomes, but they also add new risks, especially if misconfigured, outdated, or otherwise unsecured.
Moreover, healthcare cybersecurity training happens infrequently, with 61% of practices reporting that there isn't enough time for training. Only 4% run cybersecurity training sessions weekly, and most (over a quarter) run them sporadically. About 10% of practices don't run training sessions at all. Since humans are the first line of defense, inadequate training makes it harder for a practice to protect itself effectively.
The Cybersecurity Handbook for Healthcare
Learn what our experts say about cybersecurity in the healthcare industry, including top tips to protect your practice.
Why should smaller practices be concerned?
It's easy to assume that a single-physician clinic lies below an attacker's radar. On the contrary, recent studies show that many cybersecurity incidents and data breaches involve small healthcare organizations.
This may be because smaller offices are the majority. According to the American Medical Association (AMA), 64% of physicians work in practices with fewer than 25 doctors on staff—and just over half of all physicians in the U.S. work in practices with fewer than 10 doctors.
Smaller clinics and rural hospitals often face the same cybersecurity risks as larger organizations but without similar funding for education, experts, or software.
Key cyber security risks to know about
With all this in mind, let's take a closer look at the top healthcare cyber risks and threats.
Ransomware
Ransomware is a type of malware that restricts access to files or systems until the victim pays ransom to the attacker.
These attacks may begin with a phishing email or by exploiting a vulnerability, such as a company running an unpatched version of Microsft Exchange Server, to gain access.
In the past, victims would receive a note demanding payment in exchange for their data back. Today, instead of limiting file access, attackers often make copies and threaten to publish them.
How common are ransomware attacks on healthcare providers?
Healthcare is the largest target of ransomware attacks across industries. Medical providers can't simply pause operations because attackers encrypt their files or systems. They need to resolve interruptions as quickly as possible, which may mean paying a ransom.
There has also been a recent rise in ransomware-as-a-service (RaaS), offering ready-made malicious software for a fee to potential cyber attackers who lack the technical expertise necessary to develop their own.
The ransomware group Hive used a RaaS model to target hospitals, school districts, financial firms, and vital infrastructure in over 80 countries, ultimately receiving over $100 million in ransom payments.
Social engineering attacks
Many threat actors will use social engineering to trick victims into giving away sensitive information (such as login credentials) or downloading malicious files that compromise their system. Social engineering attacks may include phishing, business email compromise, whaling, and more.
You, your employees, or even patients may start receiving illegitimate emails. The attacker may pose as someone else (often a trusted individual) and ask the recipient to:
- Send patient data, research, or other sensitive files
- Open malicious hyperlinks or attachments
- Share credentials to healthcare databases or portals
Cybercriminals will often research their targets before launching their attack. If you have a website or social media account, attackers will probe those to see what insights they can collect to make their attack more legitimate.
Are there any email addresses to target from the website? Is your clinic or organization sharing anything on social media that may be useful to include in the attack?
How common is social engineering?
Social engineering is one of the most popular cyberattack techniques because of its effectiveness. When it comes to cybersecurity, employees are often the weakest link.
The Department of Health and Human Services cybersecurity department recently released a brief on Tehran-backed threat actor Tortoiseshell, which was employing social engineering to target healthcare firms and defense industries. They used a variety of methods, including watering hole attacks—compromising real websites relevant to their targets and adding new pages that host their malware, disguised as harmless form downloads.
The group also created realistic fake online personas across multiple social media platforms so they could learn about their targets and contact them directly. One common method was to make fake LinkedIn accounts and lure targets in by offering a job in their field.
Unpatched or misconfigured systems
The FBI released a Private Industry Notification in 2022 that discussed an increasing number of vulnerabilities that unpatched medical devices pose, citing a study that found 53% of connected medical devices in hospitals had known critical vulnerabilities.
Medical device hardware is often active for 10 to 30 years, but the software life cycles may differ, depending on the manufacturer's specifications. Legacy medical devices that have stopped receiving patches or updates are vulnerable to cyberattacks.
Cybercriminals may look for outdated, unpatched, or misconfigured systems that connect to the internet, including computers, specialized medical equipment, software, cloud services, and more. Vulnerable infrastructure may give hackers a back door into your IT environment.
What is the risk with vulnerable infrastructure?
Vulnerable infrastructure is a broad term that can refer to unpatched or out-of-date software and hardware. Security vulnerabilities can give cybercriminals a way to access your systems, allowing them to stage further attacks or otherwise compromise your IT operations.
Developers regularly provide software updates to address performance issues or improve software and will supply separate patches to address specific security vulnerabilities they've found. Applying these patches is vital for closing known security gaps.
Misconfigured systems pose similar risks. New hardware and software within your organization must be installed and integrated to ensure they don't compromise security. Incorrect access permissions and weak passwords, for example, may leave your infrastructure more vulnerable to an attack.
But what happens when developers stop supporting software altogether? This leads to outdated "legacy" systems, which, according to the 2023 Harmony Healthcare IT Survey, are extremely common in the healthcare industry. Of the 31 U.S.-based Chief Information Officers who responded, 94% said their organization currently uses legacy systems.
Over half of the respondents admitted legacy applications add to their costs and IT labor burden, but replacing older systems is time-consuming and resource-intensive for organizations of any size.
Organized cybercrime groups
Nation-state attacks launched by foreign governments and state-sponsored attacks involving affiliated cybercriminal groups are two major risks to the healthcare industry. These threat actors use many of the same attack tactics—such as ransomware and phishing—as less sophisticated hackers but with more technical capability, funding, and force.
Why do nation-state groups target healthcare?
Healthcare providers may be particularly vulnerable if they have information (such as groundbreaking medical data or research) that helps an attacker's mandate or gives them a competitive edge. Unlike amateur hackers, these groups can be very skilled and persistent.
The HHS named two state-sponsored groups in its June 2023 report on cybersecurity threats in the health sector:
- Silent Chollima: North Korea reportedly sponsors a group called Silent Chollima, a subgroup of the notorious Lazarus group, responsible for the 2022 Maui ransomware attacks that encrypted healthcare servers that hosted electronic health records services, imaging services, and diagnostics services.
- Wicked Panda: HHS has seen the Chinese state-sponsored hacking group Wicked Panda, active since 2007, using spear phishing, watering holes, and supply chain attacks. HHS also notes the group is responsible for an attack that exploited a web-based health application, USAHERDS, and compromised at least six U.S. state governments.
The consequences of a compromise
Cyberattacks aren't cheap. Costs add up quickly following the initial investigation, lost business from system downtime, replacing or fixing impacted systems, ransom payments, and more.
IBM's Cost of a Data Breach Report noted that healthcare had the highest average data breach cost of all industries for 13 years in a row, with a rise of 53.3% (over $3 million) since 2020. An Illinois medical practice even had to shut its doors for good after a ransomware attack.
But direct revenue losses are only one piece of the puzzle. In a recent survey, 90% of patients believe healthcare providers who don't invest in data security are less reliable than ones who do, and 43% are switching to providers with a stronger focus on data privacy protection.
Patient expectations are higher than ever—they trust your organization will keep their data secure. A data breach can cause significant reputation damage and affect your bottom line for years after the initial incident.
In some locations, data breach victims can even take legal action. California-based Regal Medical Group is facing multiple class-action lawsuits following one of the biggest healthcare breaches ever, compromising the data of up to 3.3 million patients.
One lawsuit claims that the healthcare organization allowed almost a week of free access to its servers before detecting the data breach despite noticing employees having difficulty logging in when the attack was underway.
Cyberattacks on the healthcare industry affect not just the target organization but the patients it serves, too. That's why the sector has extremely stringent cybersecurity regulations compared to many others, including The General Data Protection Regulation and The Health Insurance Portability and Accountability Act.
Protecting your healthcare organization
Understanding cyber risks is a great first step toward better cybersecurity. But it's not easy to keep up with its constantly changing landscape, especially at a time with great backlogs and extensive under-resourcing.
Download The Cybersecurity Handbook for Healthcare, a simplified eBook that will save you time figuring out where to start strengthening your defense. Get your copy of the guide to learn more about:
- Who’s targeting you, how they’ll attack, and what they want
- The major consequences of experiencing a security incident
- Best practices proven to strengthen your defense