The surge of cyberattacks on the healthcare industry shows no signs of slowing down. For example, in March 2023, 63 data breaches of 500+ healthcare records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).
This is an almost 47% increase from February, nearly 7% more than the 12-month average, and a 40% increase from March 2022.
Although not all cyberattack types are increasing, many are becoming more successful within the healthcare industry, particularly ransomware and attacks targeting sensitive data. Unfortunately, almost all institutions are at risk of attack, from large hospitals to private practices. In the face of these threats, the healthcare industry must stay informed about the cyber risks that could impact them to ensure they’re protected.
Here are the top five healthcare cybersecurity concerns to be aware of this year and beyond.
1. The high value of health records
Protected health information (PHI) records and data are high-reward targets for cyber attackers. They're valuable to healthcare institutions and patients—making them easy to hold for ransom—and also sell for a steep price on the dark web. A single PHI record can sell for up to $250 on average, though many have been reported to sell for $1,000 each. Considering the average practice has over 10,000 PHI records, just one breach could equal big money for a cybercriminal.
Healthcare organizations also hold a wide variety of personally identifiable information (PII) for their patients, including full names, addresses, social security numbers, financial details, and more. According to a 2022 report, stolen financial information, such as credit card details, sells for up to $120 on average on the dark web. Additionally, hackers could use personal data to commit identity theft or insurance fraud, further harming patients and their families.
The Cybersecurity Handbook for Healthcare
Learn what our experts say about cybersecurity in the healthcare industry, including top tips to protect your practice.
Download the eBook
According to Verizon's 2023 Data Breach Investigations Report (DBIR), personal data like PII made up 67% of compromised data in the healthcare industry in the past year. Meanwhile, medical data comprised another 54% of stolen data, and credentials—often used to breach the system further or access other information, including financial details—comprised 36%.
Intellectual property and state-sponsored attacks
Personal and medical records aren’t the only data attracting attackers to the healthcare industry. Research hospitals often hold intellectual property (IP) that could be extremely useful for a criminal looking to stage a ransomware attack. Once encrypted, hackers use this data as leverage to extort a high ransom payout from a victim organization.
State-sponsored hackers—cybercriminals backed by foreign governments—also value IP highly. According to the DBIR, espionage comprised 2% of attackers' motivations in the past year. State-sponsored attacks on the healthcare industry can serve various purposes, including:
- Financial gain
- Public influence
- Access to private information
- Access to critical systems
- Access to compromised systems for future attacks
Timeline of healthcare cyberattacks
Cyberattacks and data breaches within the healthcare industry have always been somewhat frequent, but they steadily increased amid the COVID-19 pandemic. This was mainly due to healthcare organizations being, reasonably, distracted by the virus response and industry shifts, which stole focus from cybersecurity.
According to a 2021 study, the following challenges contributed to successful attacks amid the pandemic response:
- Decreased security awareness
- Uncoordinated incident responses
- Insecure remote work environments
- Relocated funds for cybersecurity
- Insufficient endpoint device management
According to Verizon's report, confirmed data breaches have stayed steadily frequent each year since 2020 and now comprise 24% of all breach types. In other words, these incidents likely won't decrease to their pre-pandemic rates and will remain an ongoing threat to healthcare organizations.
Many of today's breaches are even more devastating when paired with ransomware, which has peaked in frequency amid increased healthcare attacks.
2. Ransomware is increasingly common
Verizon's 2023 DBIR highlighted the most significant risks facing key industries, with ransomware being one of the most consistent threats. Ransomware incidents in the healthcare industry peaked in 2021, although successful breaches have become increasingly common every year since.
In healthcare, attackers usually target PHI, PII, and systems crucial to services. In doing so, they give healthcare organizations two core choices: Take the time to regain access yourself (for example, by using a decryption tool) or pay the ransom. Due to the nature of the job and the complexity of mitigating attacks, many choose to pay the ransom.
In a recent example, the ransomware group LockBit encrypted vital information from Toronto’s Hospital for Sick Children. Interestingly, the attacker later apologized for endangering the children’s hospital and offered to unencrypt the data.
Health risks impact ransomware and DDoS responses
Distributed denial of service (DDoS) attacks target systems and resources, making them unusable. In healthcare, DDoS attacks may target essential services like software containing patients' treatment information.
DDoS and ransomware attacks have contributed to mortality rates and otherwise impaired services at some organizations. Because any downtime could lead to a life-or-death situation, organizations are more inclined to meet demands and cooperate with hackers to protect patient health.
Ransomware's glass ceiling
Ransomware attacks drastically increased and then peaked in the past few years. According to Verizon, ransomware was present in less than 5% of cybersecurity incidents before 2020 but now comprises 24% of all breach types.
Unfortunately, the easiest response for ransomware victims is often to pay hackers what they want—which only encourages and funds further attacks.
While there are lulls and rises in their frequency, the number of ransomware attacks seems relatively consistent overall. The DBIR theorizes this is because ransomware is not applicable in all attacks. So, while ransomware plays a massive role in healthcare cybersecurity, it hopefully won't become more prevalent than it already is.
3. Increasing costs of cyberattacks
On average, a successful data breach costs a healthcare organization $10.1 million, more than any other industry. However, not all of these costs come from the attack response. Healthcare cybersecurity attacks also feature many indirect costs, such as reputation damage or extending patients' time in the hospital.
In 2021, California-based non-profit healthcare provider Scripps Health was hit with a ransomware attack that resulted in $113 million in costs in only three months. Of that total, only $20 million was spent on incident response and recovery—the other $90+ million came from lost revenue.
Responding to cyberattacks
Even on their own, recovery costs can be overwhelming. With ransomware involving life-threatening cases, healthcare organizations often have no choice but to pay the hackers' prices, however high they may be.
Following cyberattacks, organizations will also have to repair or replace any affected IT infrastructure. They made need to hire internal or external cybersecurity and IT technicians to further secure servers.
All of these recovery layers prove extremely challenging for smaller practices that don’t have access to the same resources as larger organizations. Regardless of their size, victim organizations must pay steep costs depending on the type of attack:
- $250 and $985,000 for business email compromise (BEC)
- $148 and $1,600,000 for a data breach
- $70 and $1,200,000 for a ransomware attack
The indirect costs of healthcare cybersecurity breaches
Consider a hospital unit that has had a series of files containing essential client information breached and encrypted. They can pay the ransom, but arranging the funds can take days. In the meantime, evaluations will have to be reperformed and rewritten, staff may have to log extra hours to offer their usual level of care, and some patients may have treatment paused and need to stay longer.
When these variables add up, plus others unmentioned, it can have serious financial repercussions.
4. Lack of preparedness a major risk
Because they manage such a variety of confidential data, healthcare organizations must adhere to numerous cybersecurity privacy regulations and standards. Being unprepared contributes heavily to successful breaches, putting organizations at risk of further attacks and legal actions.
To stay ahead of bad actors, healthcare institutions should go above applicable regulations by training all staff about cyber threats.
Healthcare organizations face heavy regulations
Some of the more common regulations affecting the healthcare sector include:
These regulations protect individual privacy, regulating how PPI and PII can be stored and stressing the importance of protecting patients' information. A data breach or an organization failing to meet these regulations could lead to regulatory enforcement or legal action.
In the United Kingdom, healthcare institutions are subject to a national process that evaluates their cyber readiness, offering support and resources to get them up to speed and improve their resiliency. Organizations not keeping pace with national standards could face penalties and legal consequences.
Internal activities contributed to 35% of breaches
According to Verizon's 2023 DBIR highlighting healthcare, over one-third of successful breaches featured internal actors—individuals within the organization that contributed to the incident. Often these internal activities are mistakes, with errors a top cause behind breaches.
Internal errors in healthcare cybersecurity range from an employee accidentally posting their password somewhere online to a patient's file being stored on an insecure server. Because it's a fast-paced industry, many healthcare employees in these situations make the mistake of following instructions, especially if the attacker stresses a sense of urgency.
5. Reputational damages and legal risks
Many healthcare organizations remain reluctant to openly disclose news of an incident or attack despite regulations to do so. It’s understandable—no matter how diligent your defenses are, an attack can severely damage your reputation, impair trust, and lead to legal consequences if patient data is compromised.
Reputation and patient trust
Even the most careful and dedicated organizations face skeptical clients following a hack. This could cause valuable patients to search for other private clinics and practices for their needs. Affected organizations may also find attracting new clients challenging.
Patients' concerns about safety are valid, considering many attacks target patients' health, such as the malware that blocks radiation treatment. Unfortunately, these incidents show that cyberattacks are more than an IT concern.
Legal consequences
On top of the significant financial losses described earlier, Scripps Health also faced several class-action lawsuits citing “negligence in safeguarding” patient medical records. When the company eventually settled on one case, they agreed to pay $3.5 million to affected patients.
These suits are simply the latest in a string of patient data breach lawsuits. New cases of healthcare cyberattacks and ensuing lawsuits seem to pop up every week, such as the HCA Healthcare lawsuit for a data breach involving 11 million patients.
How to improve your cybersecurity
It’s more important than ever that healthcare institutions take a proactive approach to cybersecurity, actively working to find and eliminate potential cyber threats. With a view of your organization’s entire IT environment, you can better protect your patients, staff, and sensitive data.
But this is easier said than done—you need the right information and tools to understand and prioritize the cyber threats your organization faces.
The Cybersecurity Handbook for Healthcare is jam-packed with vital information for securing your organization. Get your copy to learn:
- Who’s targeting you, how they’ll attack, and what they want
- The major consequences of experiencing a security incident
- Best practices proven to strengthen your company's defense
