In recent years, the healthcare sector has become an increasingly frequent target for cyberattacks. According to the U.S. Department of Health and Human Services (HHS), cyber incidents in healthcare have risen sharply. From 2018 to 2022, large breaches reported to the HHS Office for Civil Rights (OCR) increased by a staggering 93%. The number of breaches rose from 369 to 712. Ransomware attacks alone spiked by 278%. These cyberattacks cause significant disruptions in hospital operations, leading to patient diversions and delayed procedures. As a result, patient safety is put at even greater risk.
But why is healthcare so vulnerable to these attacks? And what can healthcare organizations do to mitigate the risks and strengthen their cybersecurity posture?
Why Healthcare Is a Prime Target for Cybercriminals
Healthcare organizations hold some of the most valuable and sensitive data available, making them prime targets for cybercriminals, hackers, and even nation-state actors. The types of data targeted include:
- Protected Health Information (PHI): Personal health records that contain a patient’s medical history, diagnoses, treatments, and more.
- Financial Information: Credit card details, bank account numbers, and payment histories.
- Personally Identifiable Information (PII): Information such as Social Security numbers, addresses, and other personal details.
- Intellectual Property: Proprietary research and medical innovations, often worth millions in the pharmaceutical and medical technology sectors.
This combination of high-value data makes healthcare organizations an attractive target. Interestingly, a single stolen health record can sell for up to 10 times more on the dark web than a stolen credit card number. These high stakes mean that healthcare institutions are often under constant threat from cybercriminals looking to exploit vulnerabilities for financial gain.
The Cost of a Breach: A Major Financial Burden
In addition to the risks to patient safety, cyber incidents are also costly. According to industry reports, the average cost of remediating a healthcare data breach is significantly higher than in other industries. It costs about $408 per stolen health record to address a breach, compared to $148 for a non-health record. This considerable cost gap reflects the complex nature of healthcare systems and the immense financial, operational, and reputational damage caused by cyberattacks.
Why HIPAA Compliance Alone Isn’t Enough
Although HIPAA guidelines have historically safeguarded patient data, they no longer fully protect healthcare organizations from today’s sophisticated cyber threats. Experts argue that organizations should look to more robust frameworks to secure their systems.
Two such frameworks are:
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework: Widely regarded as a leading cybersecurity standard, NIST provides a comprehensive approach to risk management and cybersecurity practices for organizations.
- The HITRUST Cybersecurity Framework: A framework specifically tailored for healthcare organizations, HITRUST combines multiple standards, including NIST, to create a more healthcare-focused, risk-based approach.
At the federal level, discussions are already underway about updating HIPAA to address evolving cybersecurity challenges, with new rules expected later this year. Additionally, states like New York have begun implementing stricter cybersecurity requirements for healthcare institutions, such as mandating the appointment of Chief Information Security Officers (CISOs) and enforcing the adoption of measures like multi-factor authentication (MFA).
Steps to Strengthen Healthcare Cybersecurity
To safeguard your healthcare organization against the growing threat of cyberattacks, consider the following actionable steps:
- Adopt Rigorous Cybersecurity Standards: Ensure your organization is following the latest cybersecurity frameworks, such as NIST or HITRUST, in addition to HIPAA. These frameworks provide clear guidance on protecting sensitive health data.
- Conduct Regular Cybersecurity Audits: Engage third-party experts to perform risk assessments and cybersecurity audits. These audits help uncover vulnerabilities and areas for improvement, enabling your organization to address potential threats before they cause harm.
- Employee Training: Ongoing training for employees is essential in combating common attack vectors like phishing and ransomware. Regular training ensures employees can recognize and respond to the latest threats, including suspicious emails and activities.
- Implement Patch Management: Keep your systems up to date with the latest security patches. Prioritize patching vulnerabilities actively exploited by cybercriminals, using resources like the Cybersecurity & Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog to identify the most urgent threats.
- Adopt Multi-Factor Authentication (MFA): MFA adds an extra layer of protection by requiring multiple forms of identification before granting access to systems. This prevents unauthorized access, even if login credentials are compromised.
- Plan for Incident Response: Have a clear incident response plan in place. In the event of a cyberattack, a well-prepared team can act quickly to minimize damage, restore systems, and protect patient data.
Conclusion
The threat of cyberattacks in healthcare will continue to persist. As the digital landscape continues to evolve, so do the tactics of cybercriminals. It is crucial for healthcare organizations to take proactive steps to strengthen their cybersecurity posture and protect patient data from compromise. Following industry best practices, adopting comprehensive cybersecurity frameworks, and investing in the right tools and expertise can make all the difference in mitigating risks and ensuring patient safety.
