<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">

Certain nonfederal organizations need to be compliant with the requirements laid out in NIST SP 800-171 by this deadline. Learn more

NIST Compliance - Are You Ready? 00 : 00 : 00 : 00
Blog Feature

By: Matt Kozloski

Print this Page

July 20th, 2017

5 Causes of Costly Cybersecurity Breaches in the Healthcare Industry

Cybersecurity

Welcome to 2017, a time in which no industry is uninfluenced by technological advancement. The healthcare sector has moved forward with million dollar investments that revolutionized the way we treat patients. But it’s also been transformed by technology that’s changed how providers and facilities create and manage electronic health records.

Technological advancements also bring new risks. Take the adoption of IoT-enabled medical equipment, for example. While these devices offer valuable functionality, they introduce new cybersecurity challenges.

With these factors and the scores of personal information they handle, hospitals and healthcare practices bear greater risks of cybersecurity breaches.


Learn how to protect your organization by improving your cybersecurity habits:

Download the Cybersecurity eBook


According to an Identity Theft Resource Center report, the number of U.S. data breaches tracked in 2016 hit an all-time high of 1,093. The healthcare and medical industry was the victim of 377 of those incidents – 34.5% of the overall total.

These cybersecurity breaches put your patient records in jeopardy and could dramatically disrupt your hospital operations (or worse, force a complete shutdown). Knowing your IT vulnerabilities and how to protect yourself from them can actually be a matter of life and death.

Learn about the five most common causes of cybersecurity breaches in the healthcare industry. Prepare your organization to mitigate the likelihood that these issues become reality.

1) Malware and Ransomware

According to SecurityScorecard’s 2016 Healthcare Industry Cybersecurity Report, 75% of the healthcare industry fell victim to a malware attack over the last year. The Infosec Institute detailed an equally troubling trend regarding ransomware attacks – in Q1 of 2016, the average number of daily ransomware attacks quadrupled from Q1 of 2015 to over 4,000 attacks.

Hospitals and healthcare institutions are a prime target for malware and ransomware because healthcare providers need speedy access to patient data and a functional communications system at all times. It’s the nature of medicine. Ultimately, these institutions are more likely to pay a ransom to keep their operations up and running and keep their patients out of harm's way. But even then, can you be sure that the hackers did not make copies of confidential information?

It only takes a single, seemingly minor misstep by an employee for a hacker to gain access to your systems. Phishing communications are a common example of ways cyber criminals try to get in. They could come through email, social networks, or even phone calls. Improper implementation and management of wireless devices connected to the Internet of Things (IoT) network is another way.

2) Weak or No Data Encryption

A BMC Medicine study of health applications revealed that 66% of apps sending identifying information over the Internet did not use encryption and not one app that stored personal information locally encrypted data. In the event of a data breach, completely unencrypted data gives hackers easy access to it. Applications that have been granted access may also be infected by malware that gives cyber criminals access to your confidential information.

To sufficiently protect your data, you must encrypt it in transit and at rest. Protecting encryption keys is critical to securing and ensuring uninterrupted access to data/information.

3) Human Error

“No matter the size or the scope of a breach, usually it’s caused by an action, or failure, of someone inside the company,” writes Marc van Zadelhoff, General Manager of IBM Security.

Alex Heid, chief research officer at SecurityScorecard commented specifically on users’ roles within the healthcare industry:

"The low social engineering scores among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient. Security is only as strong as the weakest link, and employees are often the lowest-hanging fruit when it comes to phishing, spear phishing and other social engineering attacks."

Falling for those aforementioned phishing scams, misaddressing emails, and using weak passwords (or none at all) are just some of the missteps employees make that put your systems at risk.

There’s also lost or stolen property and malicious actions by employees to leak confidential data and information. These actions can often go undetected unless proper security measures are put into place.

4) Bring Your Own Device

Many healthcare organizations are allowing their employees to bring their own devices to work, including laptops, tablets, and smartphones. In fact, one survey showed that 81% of healthcare providers are now allowing their doctors and medical staff to use their own tablets and mobile devices at work.

Yet, 46% of these organizations indicated that they aren’t taking any actions to secure these mobile devices. The BMC Medicine study found that 20% of healthcare providers don’t have a privacy policy in place.

Whether through theft or hacking, these devices make patient data vulnerable to outsiders and without proper precautions, data loss is far more likely.

5) Outdated Technology Hygiene

As much as training and protocol dictate the safety of your data, system updates and patches must also be current.

Unpatched systems are more vulnerable to cyberattacks. If your systems crash because they’re not up to date, you’ll spend plenty of time and money getting them to current standards.

This was the case in the WannaCry ransomware outbreak in May of 2017, which had a huge negative impact on the National Health Service in the United Kingdom. During that outbreak, 45 National Health Service organizations were impacted, forcing some hospitals to cancel operations and outpatient appointments. While ransomware this widespread is not common, it points out that keeping software and operating systems fully updated is a solution that is not difficult to implement, and would have been helpful in this case.

Healthcare facilities simply can’t afford to battle serious operational issues. Time is extremely valuable in the healthcare industry. A shutdown or malfunctioning systems can delay a surgery or cause devices to disrupt surgeries or tests. This puts patients in danger.

Your systems must be monitored appropriately and consistently to ensure your technology and devices are performing as intended.

Avoiding The Steep Cost of Cybersecurity Breaches

According to Ponemon, the average cost of a data breach for a healthcare organization is $355 per record. Let’s say you house 1,500 patient records in your systems. Using this reported average, a cybersecurity breach would cost your practice well over $500,000.

But the monetary loss isn’t the only, and certainly not the biggest, concern. The well-being of your patients and their peace of mind are potentially irreparable costs of a cybersecurity breach. Your reputation can be tarnished and keep patients from trusting you again, regardless of your skill or experience.

As the technological landscape in the healthcare industry continues to expand, you must take proactive steps to defend your organization and your patients.

If you haven't already, consider conducting a risk assessment to uncover the vulnerabilities within your infrastructure and policies. It’s very possible that you may need support to address these issues and comply with HIPAA requirements.

Ultimately, ensuring the protection of your patients’ records, your private data, and your devices will save you time, money, and stress - not to mention safeguarding your reputation. Take a step toward addressing your vulnerabilities and download our eBook: 10 Simple Things You Can Do to Improve Your Company’s Cybersecurity Posture. Simply click below to get your copy today.

New Call-to-action

About Matt Kozloski

Matt is the VP, Professional Services at Kelser as well as former leader of the CT VMUG. VCDX # 194, CISSP # 526947.

  • Connect with Matt Kozloski