What Is Cybersecurity in Healthcare?

The healthcare industry’s rapid adoption of digital technologies is transforming care delivery, with Health IT enabling critical life-saving functions. However, digitalization has also made healthcare one of the most susceptible sectors to cyber attacks. Data breaches are known to cause significant financial and reputational losses and difficulty in regaining control over hospital systems, which is why healthcare organizations and providers must prioritize information safety. 

Cybersecurity in healthcare focuses on protecting sensitive electronic assets from unauthorized access, use, and disclosure. The overarching goals of cybersecurity are to ensure the confidentiality, integrity, and availability of information, which is known as the CIA triad. 

In today’s article, we would like to share some critical considerations regarding cybersecurity risks in healthcare and best practices for improving it across organizations. 

Why is cybersecurity more critical for healthcare?

Healthcare facilities, such as hospitals, urgent care centers, and physician offices, rely heavily on digital technology for clinical, diagnostic, and administrative tasks. It facilitates coherent and efficient operation of healthcare infrastructure, including communications, EHR systems, prescription and practice management, as well as a wide array of connected smart medical devices and computerized equipment like smart elevators, heating, HVAC, or power systems. Digital technologies encompass a huge selection of cloud services, software, and hardware, which can be targeted by cybercriminals. 

Hackers’ cyberattacks pose a grave and immediate threat to every aspect of care continuity. Healthcare data breaches are one of the most expensive types of information leaks, costing organizations an average of almost $11 million. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reported 725 large security breaches in 2023, marking an unfortunate record. Already in March this year, 116 healthcare security incidents were registered, affecting over 13 million individuals in the United States. Reasons why healthcare IT systems are being attacked so frequently:

Personal Health Information (PHI) is one of the most lucrative items on the Dark Web

Health records can sell for anywhere between $250 to $1,000—significantly more than, for example, stolen credit card credentials. The reason for this is the wealth of personal data contained within PHI records. Unlike credit cards, personal health history cannot be changed (e.g., records of surgeries, ailments, or illnesses). Attackers can use it for identity theft, to target victims with frauds and scams, and for other malicious activities. With this in mind, having proper cybersecurity measures in place is an investment in patient safety.

Lack of adequate security control over medical devices and an extensive attack surface

Healthcare organizations face various challenges due to the use of connected medical devices (Internet of Medical Things, IoMT), personal endpoints in healthcare facilities (BYOD) that may lack endpoint security, and third parties having access to critical hospital assets and sensitive patient data. It is one of the biggest issues in healthcare systems that we will come back to in a while. Additionally, the increase in remote work and virtual doctor’s appointments (telehealth) has led to the rapid deployment of supporting IT infrastructure that is not always properly secured, thus creating more opportunities for attackers.

Data breaches result in material and financial losses

Healthcare organizations must comply with stringent privacy regulations like HIPAA, which impose serious fines for patient data disclosure. To minimize disruptive consequences, victims of cyberattacks are more “willing” to pay ransom to hackers to have their leaked data taken off the public side—a vulnerability often exploited by ransomware groups.

What are the biggest cybersecurity challenges and threats in healthcare?

In most cases, cyber threat actors take advantage of vulnerabilities that could have been identified and addressed earlier but were instead found and exploited by hackers. The inability of many healthcare organizations to consistently follow cybersecurity best practices and implement basic security measures is often a result of budget constraints, difficulties hiring and retaining qualified IT security professionals, and a lack of knowledge about the best ways to increase resilience to cyber threats. Some of the top healthcare cybersecurity challenges include:

Outdated computer systems

Healthcare organizations often rely on outdated and legacy systems, such as workstations and networked medical equipment, that commonly contain unpatched vulnerabilities and are easily exploitable by attackers. Budget cuts expose hospitals to sometimes using decade-old computer equipment and software: some 15% of computers worldwide used Windows 7 and 8 in 2022, despite no security updates for these systems since January 2020. Upgrades and new equipment are necessary to maintain data safety, especially in healthcare, where the principle “it’s old but still working” could cost providers much more than new hardware and software.

More sophisticated social engineering tools

The goal of social engineering is to trick targeted victims into giving out their personal information rather than brute-forcing cybersecurity systems. The most common social engineering practice is phishing. Scammers impersonate a real organization or website via text messages, emails, and other means to steal passwords and credentials, infect a device with malware by clicking on a link, and get access to patient data. With the rise of AI technology, hackers began using it to enhance their tools and methods, for example, to write seemingly legitimate texts for scams and trickery.

The growing scale of ransomware attacks

Ransomware gangs increasingly use double-extortion tactics to extort money from their victims. After infecting the victim’s system with file-encrypting malware, they steal a copy of the data, demanding a ransom payment to retrieve it back. If the victim doesn’t pay, they threaten to publish the data online. Yet even when the payment is made, there is no guarantee the hackers will delete the information as promised.

A recent and most sophisticated example of a ransomware attack is the incident that affected US healthcare giant Change Healthcare, which shut down its network on February 21, 2024. The attack disrupted thousands of hospitals and pharmacies across the United States that were unable to fulfill or process prescriptions, verify patients’ insurance, and process billing. A Russia-based ransomware and extortion gang, ALPHV/BlackCat, took credit for the cyberattack that allegedly cost the company $22 million in Bitcoin in ransom. The matter is not settled as of today, as Change Healthcare is reportedly dealing with a second cyber extortion attack in which they lost 4TB of patient data, including medical records of military personnel. 

Physical security of equipment and data

Electronic devices like laptops, smartphones, and USB/thumb drives can easily be lost or stolen, making them vulnerable to hackers’ actions. Unsupervised access to a computer or device can compromise it. Therefore, it is essential to protect your equipment to ensure its proper operation, configuration, and data privacy. To prevent cyberattacks, ensure that your electronic devices are physically secured. Never leave your laptop or computer unattended, encrypt sensitive data, and teach your employees to report lost or stolen equipment to responsible IT professionals.

Attacks against network-connected medical devices

The term “medjacking” (= medical highjacking) refers to cyberattacks targeting connected medical devices, which are often critical for patient survival. Interfering with their functionality can be life-threatening. Imagine a scenario where a cyberattack compromises your organization’s network, allowing hackers to manipulate critical medical equipment remotely. They could turn these devices off and on at will. In a real-world example, a hacker enters a hospital’s network via a phishing email and gains control of a file server connected to an ICU heart monitor. They then proceed to disrupt all the heart monitors in the ICU, endangering multiple patients. Just like any other digital technology, connected devices require regular updates for security and patching vulnerabilities.

Best cybersecurity practices for the healthcare industry

Protecting patient safety and personal information is crucial for any healthcare organization, as healthcare systems are constantly under strain. While security risks and requirements may differ, following some best cybersecurity practices can help mitigate the risk of potential data breaches and ensure patients’ trust in your organization.

Educate and train your employees

It is important to provide mandatory information security training to employees on a regular basis. The training should be consistently updated to reflect the latest threats, regulatory requirements, and best practices for cybersecurity and digital hygiene. In addition, it is vital to build a culture of data security awareness at all levels of the organization. Employees should be taught about common attack vectors used in hacking healthcare sites, phishing techniques, and best practices for data protection when using healthcare technology. Effective cybersecurity is a shared responsibility.

Perform regular security risk assessments

Risk assessments are fundamental to cybersecurity in healthcare. They involve a systematic evaluation of vulnerabilities and threats, evaluating each for probability, impact, and priority. This process not only identifies risks but also documents preventive measures taken by the organization. Healthcare organizations must conduct these assessments regularly—at least annually—to stay aligned with security strategies and meet compliance or cyber insurance requirements. Additionally, risk assessment procedures should be updated whenever new devices or services are introduced.

Implement strong access controls

Adhere to the last privilege principle and introduce strict access controls to make sure that only authorized staff members can access sensitive data and systems. Utilize privilege escalation protocols to limit security gaps when accessing healthcare networks. Employ foundational security measures such as antivirus software to guard against malware, data backup, and restoration platforms to recover from ransomware attacks, encryption, network firewalls, incident response planning, and multi-factor authentication to establish robust baseline defenses. A multi-factor authentication (MFA) failure at the beginning of April this year led to the exposure of patient data pertaining to the Los Angeles County Department of Mental Health (DMH). Hackers were able to bypass MFA requirements and gain access to two Microsoft Office 365 accounts, resulting in a serious data breach.

Implement endpoint protection systems

Organizations should diligently protect their endpoints to guard their networks against cybersecurity threats. The best practice for small organizations is to limit system administrator access rights, regularly update systems to patch vulnerabilities, and equip each endpoint with antivirus software, full disk encryption, and automatic updates. Medium to large organizations, in addition to these practices, should automate the provisioning of endpoints, employ Mobile Device Management (MDM) technologies to control device configurations, and implement Endpoint Detection and Response (EDR) technologies to monitor and react to suspicious activities across a large number of endpoints. These combined efforts help create a robust cybersecurity framework suitable for any organization size.

Foster partnerships to boost cybersecurity in healthcare

Collaborate with industry peers, cybersecurity experts, and government agencies to exchange information about emerging threats, best practices, and innovative security solutions. Many healthcare organizations and practitioners enhance healthcare delivery through partnerships initially formed in response to cyber risks. Working together not only strengthens healthcare delivery but also fosters the development of more robust security measures. Additionally, collaborating with a reliable software development partner can accelerate the adoption of new, secure solutions tailored to specific organizational needs. This partnership enables the integration of advanced technologies and expert insights, ensuring that healthcare services remain safe and efficient.

At Beetroot, we can connect you with the industry’s best cybersecurity specialists to strengthen your resilience. Our team of experts will help you build healthcare software in compliance with the standards and regulations applicable to your field, including GDPR, HIPAA, or HL7, to create the most effective and secure product.