Warning! Hackers are out for your data!

By Ethan Popowitz

Healthcare providers generate a lot of data. In 2018, about 30% of the world’s data volume was generated by the healthcare industry, according to RBC Capital Markets. Today, the organization estimates that the figure will balloon to 36% and expects the rate of healthcare- generated data to grow significantly faster than entertainment media, financial services, and manufacturing.

It’s easy to see why providers create so much data. Between remote patient monitoring devices, medical claims, patient portals, electronic health records (EHRs), and good old-fashioned administrative record-keeping, the average patient generates 80 megabytes of data each year. And this doesn’t account for services like MRIs, which could occupy upwards of 200 gigabytes of data for a single screening.

While healthcare organizations rely on these technologies and data to function day-to-day, the treasure troves of 0’s and 1’s they store are attractive targets for hackers and cybercriminals. In fact, more than 116 million were impacted by data breaches in 2023 and had their protected health information (PHI) exposed—more than double over the previous year.

So how do hackers plunder healthcare providers for their valuable data? In this blog, we’ll cover the common threats and risks providers are vulnerable to. By understanding the tactics these digital ne’er-do-wells use, you can better defend your organization from an attack.

What are the largest cybersecurity risks to healthcare organizations?

Healthcare providers face a range of cybersecurity risks that can compromise patient data and cause significant harm. Some of the most common risks are:

1. Phishing
2. Ransomware
3. Legacy systems
4. Insider leaks & employee errors
5. Third-party vulnerabilities

Phishing

A phishing attack is one of the most common methods hackers use to exploit vulnerabilities in a healthcare organization. In these attacks, hackers manipulate and deceive their targets into providing their usernames, passwords, or medical data. Anthem Inc., a health insurance provider in the U.S., was the victim of one of the largest phishing attacks in history. Malware downloaded from a phishing email exposed the PHI of about 78.8 million health plan members.

One of the primary objectives of a phishing attack is to obtain access to PHI. According to The HIPAA Journal, PHI is a valuable commodity, able to be used to create false identities, commit insurance fraud, and receive free medical treatment, among other illegal activities.

We dig deeper into why patients’ PHI is so valuable—and how providers can more securely handle patient records—in episode 20 of the Definitively Speaking podcast: Decoding PHI security with David Ting from Tausight.

Phishing can often be tough to defend against, as hackers use social engineering techniques to appear as legitimate as possible. The FTC and other organizations encourage healthcare providers to train their employees to recognize phishing scams and develop best practices against suspicious emails.

Ransomware

Another primary objective of a phishing attack is to deliver ransomware, a type of malicious software that encrypts a computer’s files or restricts a user’s access to it until a ransom is paid to unlock it.

Ransomware is so effective because getting locked out of your computer or specific files instills fear and panic in its victims. This can have serious—if not dangerous—consequences for healthcare providers.

One report found that patient volumes fall by 20% and revenue decreases by upwards of 40% during the first week a hospital is hit by a ransomware attack. Patients may also be at risk as, without access to vital information, the care team may be “in the dark” as they make diagnoses or decide to delay treatments. Another study found that ransomware attacks caused surveyed hospitals to divert ambulances, cancel care, and experience downtimes in electronic systems.

And ransoms can be costly, too. Comparitech, a research firm that analyzes the financial impact of ransomware attacks on healthcare organizations, found that hospitals paid more than $20 million in ransom in 2023. However, the cost may be higher as many facilities do not disclose the size of their payments.

The Cybersecurity & Infrastructure Security Agency (CISA) suggests healthcare organizations back up the data on their network on a regular basis, either on a separate cloud server or offline if possible. You can review CISA’s tips for more tactics and defense measures against ransomware.

Legacy systems

In an industry as innovative and transformative as medicine, it’s odd that so many healthcare providers rely on software and technologies that are old, obsolete, unsupported, or non-compliant with current security standards. These computer systems, programs, and technologies are known as legacy systems and, according to experts, are ‘a cybersecurity nightmare.’

Legacy systems pose a security risk for a simple reason: a lack of support from the manufacturer often means a lack of security patches. As a result, devices running legacy software make for easy targets for hackers, which could pave the way for phishing attacks, ransomware, or viruses.

In a 2022 report by HIMSS, 73% of healthcare providers surveyed use a legacy operating system (like Windows XP, which hasn’t been supported since 2014!). The research found that high upgrade or maintenance costs, compatibility issues with other systems or equipment, or a lack of internal knowledge on how to transition to a current operating system were why so many organizations use a legacy OS.

Not all legacy systems can be maintained at a functioning level forever. When a healthcare provider decides it’s time to transition to a more modern system, Gartner suggests doing the following:

1. Identify which system components, applications, and devices no longer meet current standards for doing business or providing care, with consideration to cost and functionality.
2. Evaluate whether migrating to a new system or modernizing your current system is the right path. Healthcare providers should also consider whether they should use traditional, in-house IT infrastructure, cloud security, or a hybrid of the two.
3. Choose the option that will offer the least disruption to care delivery and the most benefit to administrative functionality and scalability.

Insider leaks & employee errors

Insider threats are a significant risk for healthcare companies, as employees may have access to sensitive patient data and may intentionally or accidentally compromise data security. Insider threats can include employees falling victim to phishing attacks, stealing data for personal gain, or accidentally exposing data to the public.

The U.S. Department of Health and Human Services (HHS) warns healthcare organizations of three types of insider threats, all with different goals. They are:

1. Careless or negligent workers: While most companies invest more money in defending against attacks from insiders with malicious intent, acts of negligence are more common. In 2023, employee error resulted in more than 8 million health records being leaked.
2. Malicious insiders: Workers with a grievance against their company and choose to act on it are malicious insiders. HHS recommends healthcare providers regularly back up their data and limit privileged access to sensitive data to safeguard against these individuals.
3. Inside agents: This type of insider works on behalf of an external group to carry out a data breach or otherwise compromise an organization’s network.

Third-party vulnerabilities

Healthcare companies often work with third-party vendors, such as cloud providers and software vendors, which can increase their exposure to cybersecurity risks.

The vulnerabilities of cloud-based data storage and security systems are particularly concerning. The Emergency Care Research Institute (ECRI) named it one of their top 10 health technology hazards for 2023. In their brief, ECRI explains how the responsibility for ensuring PHI and other sensitive data are secure rests in the hands of the cloud company. These third-party vendors may have their own vulnerabilities or may not have adequate security measures in place to protect patient data. Unfortunately, the liability (and the consequences) for any data breach remains with the healthcare organization.

Like any third-party vendor, it’s wise for any healthcare provider to carefully evaluate how a cloud provider does its business. Ask questions about how the company protects the functionality of its service and the confidentiality of patient data.

Despite these concerns, cloud technology can benefit healthcare providers greatly. Cloud providers can help healthcare organizations scale their operations, improve interoperability between systems, streamline record keeping, and help the company adapt to a data-driven decision-making approach.

Learn more

To protect PHI, reduce cybersecurity risks, and stay on top of the latest data privacy trends, healthcare companies need to implement robust cybersecurity measures and train their employees against the threat of hackers or those with malicious intent.

Looking for more? Dive into the data in our healthcare insights to see exactly what information gets exposed in a breach and how many healthcare providers are impacted each year. Or, start a free trial to see how our healthcare commercial intelligence can help you grow your business faster.