By Ethan Popowitz
Healthcare providers generate a lot of data. In 2018, about 30% of the world’s data volume was generated by the healthcare industry. By 2025, RBC Capital Markets estimates that the amount of data the healthcare industry generates will balloon to 36% and will continue to grow at a rate significantly faster than entertainment media, financial services, and manufacturing.
It’s easy to see why healthcare providers create so much data. Between remote patient monitoring devices, medical claims, patient portals, electronic health records (EHRs), and good old-fashioned administrative record-keeping, the average patient generates 80 megabytes of data each year. And this doesn’t account for services like MRIs, which could occupy upwards of 200 gigabytes of data for a single screening.
While healthcare organizations rely on these technologies and data to function day-to-day, the treasure troves of 0’s and 1’s they store are attractive targets for hackers and cybercriminals. In fact, more than 52 million people had their private health information (PHI) exposed in more than 700 data breaches throughout 2022.
So how do hackers plunder healthcare organizations for their valuable data? In this blog, we’ll cover the common threats and risks healthcare providers are vulnerable to. By understanding the tactics these digital ne’er-do-wells use, you can better defend your organization from an attack.
What are the common cybersecurity risks healthcare companies face?
Healthcare companies face a range of cybersecurity risks that can compromise patient data and cause significant harm. Some of the most common cybersecurity risks of healthcare companies include:
- Legacy systems
- Insider leaks & employee errors
- Third-party risks
A phishing attack is one of the most common methods hackers use to exploit vulnerabilities in a healthcare organization. In these attacks, hackers manipulate and deceive their targets into providing their usernames, passwords, or medical data. Anthem Inc, a health insurance provider in the U.S., was the victim of one of the largest phishing attacks in history. Malware downloaded from a phishing email exposed the PHI of about 78.8 million health plan members.
One of the primary objectives of a phishing attack is to obtain access to PHI. According to The HIPAA Journal, PHI is a valuable commodity, able to be used to create false identities, commit insurance fraud, and receive free medical treatment, among other illegal activities.
We dig deeper into why patients’ PHI is so valuable—and how providers can more securely handle patient records—in episode 20 of the Definitively Speaking podcast: Decoding PHI security with David Ting from Tausight.
Phishing can often be tough to defend against, as hackers use social engineering techniques to appear as legitimate as possible. The FTC and other organizations encourage healthcare providers to train their employees to recognize phishing scams and develop best practices against suspicious emails.
Another primary objective of a phishing attack is to deliver ransomware, a type of malicious software that encrypts a computer’s files or restricts a user’s access to it until a ransom is paid to unlock it.
Ransomware is so effective because getting locked out of your computer or specific files instills fear and panic in its victims. This can have serious—if not dangerous—consequences for healthcare providers and their patients. A survey from The Herjavec Group, a global cybersecurity firm, reported that nearly 70% of healthcare organizations experienced longer hospital stays and delays in procedure due to ransomware attacks between 2021 and 2022. Another study found that ransomware attacks caused surveyed hospitals to divert ambulances, cancel care, and experience downtimes in electronic systems.
And ransoms can be costly, too. In 2020, U.S. healthcare organizations paid an estimated $21 billion dollars, although the true amount could be much higher as many organizations do not publicly disclose the ransom amounts.
The Cybersecurity & Infrastructure Security Agency (CISA) suggests healthcare organizations back up the data on their network on a regular basis, either on a separate cloud server or offline if possible. You can review CISA’s tips for more tactics and defense measures against ransomware.
In an industry as innovative and transformative as medicine, it’s odd that so many healthcare providers rely on software and technologies that are old, obsolete, unsupported, or non-compliant with current security standards. These computer systems, programs, and technologies are known as legacy systems and, according to HealthTech Magazine, are ‘a cybersecurity nightmare.’
Legacy systems pose a security risk for a simple reason: a lack of support from the manufacturer often means a lack of security patches. As a result, devices running legacy software make for easy targets for hackers, which could pave the way for phishing attacks, ransomware, or viruses.
In a 2021 report by Kaspersky, 73% of healthcare providers surveyed use a legacy operating system (like Windows XP, which hasn’t been supported since 2014!). The research found that high upgrade or maintenance costs, compatibility issues with other systems or equipment, or a lack of internal knowledge on how to transition to a current operating system were chief among reasons why so many organizations use a legacy OS.
Not all legacy systems can be maintained at a functioning level forever. When a healthcare provider decides it’s time to transition to a more modern system, Gartner suggests doing the following:
- Identify which system components, applications, and devices no longer meet current standards for doing business or providing care, with consideration to cost and functionality.
- Evaluate whether migrating to a new system or modernizing your current system is the right path. Healthcare providers should also consider whether they should use traditional, in-house IT infrastructure, cloud security, or a hybrid of the two.
- Choose the option that will offer the least disruption to care delivery and the most benefit to administrative functionality and scalability.
Insider leaks & employee errors
Insider threats are a significant risk for healthcare companies, as employees may have access to sensitive patient data and may intentionally or accidentally compromise data security. Insider threats can include employees falling victim to phishing attacks, stealing data for personal gain, or accidentally exposing data to the public.
The U.S. Department of Health and Human Services (HHS) warns healthcare organizations of three types of insider threats, all with different goals. They are:
Careless or negligent workers: While most companies invest more money in defending against attacks from insiders with malicious intent, acts of negligence are more common. About 61% of data breaches in 2020 involving an insider were caused by a careless or negligent worker.
Malicious insiders: Workers with a grievance against their company and choose to act on it are malicious insiders. HHS recommends healthcare providers regularly back up their data and limit privileged access to sensitive data to safeguard against these individuals.
Inside agents: This type of insider works on behalf of an external group to carry out a data breach or otherwise compromise an organization’s network.
Healthcare companies often work with third-party vendors, such as cloud providers and software vendors, which can increase their exposure to cybersecurity risks.
The vulnerabilities of cloud-based data storage and security systems are particularly concerning. The Emergency Care Research Institute (ECRI) named it one of their top 10 health technology hazards for 2023. In their brief, ECRI explains how the responsibility for ensuring PHI and other sensitive data are secure rests in the hands of the cloud company. These third-party vendors may have their own vulnerabilities or may not have adequate security measures in place to protect patient data. Unfortunately, the liability (and the consequences) for any data breach remains with the healthcare organization.
Like any third-party vendor, it’s wise for any healthcare provider to carefully evaluate how a cloud provider does its business. Ask questions about how the company protects the functionality of its service and the confidentiality of patient data.
Despite these concerns, cloud technology can benefit healthcare providers greatly. Cloud providers can help healthcare organizations scale their operations, improve interoperability between systems, streamline record keeping, and help the company adapt to a data-driven decision-making approach.
In order to protect PHI and reduce cybersecurity risks, healthcare companies need to implement robust cybersecurity measures and train their employees against the threat of hackers or those with malicious intent.
Looking for more? Dive into the data in our healthcare insights to see exactly what information gets exposed in a breach, and how many healthcare providers are impacted each year. Or, start a free trial to see how our healthcare commercial intelligence can help you grow your business faster.