30.09.2021 The top five healthcare cyber security issues to watch this year 

by Ben Filipkowski

Cyber attacks on hospitals, clinics, and private practices surged amidst the COVID-19 pandemic, increasing the challenges facing the healthcare sector.  

The pandemic introduced new vulnerabilities and opportunities for attack as organizations adopted remote work policies out of concern for health and safety.  

Amidst these ongoing threats, data from the Cybersecurity and Infrastructure Security Agency (CISA) revealed that those organizations hit by a ransomware attack experienced far greater strain on their healthcare systems. This included worse healthcare outcomes and increased patient mortality. 

But even before the pandemic, IT professionals in healthcare were struggling to stay on top of growing cyber attacks, with 96% reporting it was a struggle to keep pace with evolving threats. In fact, 83% of US physicians had experienced a cyber attack before the pandemic even began.   

In the face of these threats, it’s critical for the healthcare industry to stay informed about the cyber risks that could impact them so they can ensure they’re protected.  

Here are the top five healthcare cyber security concerns to be aware of in 2022 and beyond. 

1. Health records are extremely valuable to hackers 

Private patient information and data sell for a steep price on the dark web. One report found that, on average, a single protected health information (PHI) record can sell for as much as $250 — and considering the average practice has over 10,000 PHIs, that means big money for a cyber criminal.  

But medical records aren’t the only prize for an attacker.  

Research hospitals often hold intellectual property (IP) that’s highly valued by state-sponsored hackers — cyber criminals backed by foreign governments. Alternatively, this type of sensitive data could be extremely useful for a criminal looking to stage a ransomware attack. Once encrypted, hackers could use this data as leverage to extort a higher ransom payout from a victim organization. 

That said, healthcare organizations also hold a wide variety of personally identifiable information (PII) for their patients, including full names, addresses, social security numbers, financial details, and more. Attackers could use this data to commit identity theft or insurance fraud, causing serious harm to patients and their families.  

Because any downtime could lead to a life-or-death situation, healthcare organizations are more inclined to meet these demands and cooperate with hackers in an effort to protect patient health. 

2. Cyber attacks have devastating financial impacts 

Recently, California-based non-profit healthcare provider Scripps Health was hit with a ransomware attack. In the three months that followed, costs stemming from the attack already totaled $113 million. But only $20 million of that was spent on incident response and recovery — the vast majority of those costs, an estimated $90 million, came from lost revenue. 

Recovery costs alone may be overwhelming. Following a successful cyber attack, organizations will want to repair or replace affected IT infrastructure to ensure attackers can’t exploit the same vulnerabilities. This could prove extremely difficult for smaller practices that don’t have access to the same resources as larger organizations.  

The expenses stemming from the Scripps Health attack may be shocking, but they’re nonetheless in line with industry trends. On average, healthcare data breaches cost organizations $9.42 million, regardless of size.  

A 2021 report found that 91% of security breaches in the sector are financially motivated. Furthermore, victim organizations pay steep costs, depending on the type of attack: 

  • $250 and $985,000 for business email compromise (BEC)  
  • $148 and $1,600,000 for a data breach   
  • $70 and $1,200,000 for a ransomware attack  

Put simply, a single security incident can have a significant effect on an organization.  

3. Healthcare organizations are heavily regulated 

Because they manage such a variety of confidential data, healthcare organizations must adhere to a number of cyber security and privacy regulations and controls

Some of the more common regulations affecting the healthcare sector include: 

These regulations work to protect individual privacy, and as such, a data breach could lead to regulatory enforcement or legal action.  

For example, in the United Kingdom, healthcare institutions are subject to a national process that evaluates their cyber readiness, offering support and resources to get them up to speed and improve their resiliency. Organizations that have not kept pace with national standards could face severe penalties and legal consequences. 

4. Cyber incidents can increase legal risk  

In addition to regulatory enforcement, healthcare organizations could face greater legal risk if patient data is compromised in a cyber attack.

On top of their already significant financial losses, Scripps Health is also facing several class-action lawsuits citing “negligence in safeguarding” patient medical records. One plaintiff is demanding the healthcare provider pay $1,000 per violation alongside additional punitive damages. 

These suits are simply the latest in a string of patient data breach lawsuits. In 2020 alone, there were 13 high-profile lawsuits filed against US-based healthcare organizations that allegedly mishandled sensitive patient data.  

5. A cyber attack inevitably leads to reputation damage 

Many healthcare organizations remain reluctant to openly disclose news of an incident or attack despite regulations to do so. It‘s understandable — no matter how diligent your defence, an attack can severely damage your reputation. 

Even the most careful and dedicated organizations may face skeptical clients following a hack. This could cause valuable patients to search for other private clinics and practices for their needs. This  also makes it harder for affected practices to attract new clients, too.  

Unfortunately, cyber attacks continue to be seen as an IT concern, but given that a recent attack forced a patient’s ambulance to redirect to another clinic, it’s clear that cyber security should be a major concern for patient health as well. 

These cyber threats can have major effects for healthcare organizations, no matter their size and experience. No medical provider flies under the radar of a hacker.  

How to improve cyber security and minimize risk 

It’s more important than ever that these institutions take a proactive approach to their cyber security, actively working to find and eliminate potential cyber threats. With a view of your organization’s entire IT environment you can better protect your patients, staff, and sensitive data.  

But this is easier said than done — you need the right tools and skills to understand and prioritize the cyber threats you face.  

That’s where we come in. 

With Field Effect’s Covalence, you get a complete cyber security solution. Purpose-built for small and mid-size businesses, Covalence allows you to identify threats across your full infrastructure, plus gain a team of experts offering 24/7 support.   

Stay up to date on cyber security risks and tips, webinar invites, and more by signing up for our newsletter below.  



Ben Filipkowski

Edited by Jane Harwood.


Request Demo

Fill out the form and we will send you details about our demo.