<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">

Certain nonfederal organizations need to be compliant with the requirements laid out in NIST SP 800-171 by this deadline. Learn more

NIST Compliance - Are You Ready? 00 : 00 : 00 : 00
Blog Feature

By: Matt Kozloski

Print this Page

May 19th, 2017

Top 3 Reasons Healthcare Providers Should Make Cybersecurity a Priority

Cybersecurity | Workforce Enablement

Cybersecurity has become a mainstream point of discussion over the last five years. With notable attacks on Target, NASA, the United States Defense Department, and the WannaCry / WannaCrypt outbreak, the public now has a heightened sense of awareness (and fear) of cyber crime. Perhaps no industry needs a wake up call more than the healthcare industry.

While healthcare providers are obligated to many laws and regulations regarding health information – handling and protecting it – such regulation has not necessarily made their information any more secure.

Truthfully, the healthcare industry has long been susceptible to cyber attacks. But thanks to several factors, providers simply have no choice but to make cybersecurity a priority. Below are just three reasons why your organization must put cybersecurity at the top of its agenda.


Improving your cybersecurity isn't as hard as you think.

Free: 10 Simple Things You Can Do to Improve Your Company's Cybersecurity  Posture


1) Healthcare Providers are a Big Target

With the bevy of information healthcare providers collect, they’re prime targets for attacks. But as an industry, its measures to protect medical and other information has lagged behind other prominent sectors.

In fact, a private notice issued by the FBI in 2014 advised healthcare providers to increase their cybersecurity. It warned that "the healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors.”

In 2015, data breaches across the healthcare industry reached historic highs. Since 2009, there have been 1,470 reports of major data breaches, which exposed the medical records of over 115 million Americans. Shockingly, almost 97% of those exposed records were the product of incidents reported in 2015 alone.

The staggering numbers in 2015 led to increased (and overdue) attention to healthcare cybersecurity in 2016.

In fact, 3 in 4 leaders of healthcare providers indicated their intentions to increase spending on their IT security in 2016, and addressing security risks will remain a key concern into the future. These same healthcare executives listed security as a top-three priority within IT over the next two years.

Nonetheless, healthcare providers remained a top target for cyber attacks in 2016, according to Health Data Management,

This past year, Banner Health – a Phoenix, AZ-based healthcare provider – suffered an attack on “just” a limited number of computer services and systems. The breach affected 3.62 million individuals, including patients, plan members, providers and even those who purchased food or beverages at Banner facilities.

Clearly, there’s more to healthcare cyber attacks than medical records. With banking and personal information, hackers can use stolen data to commit “traditional financial fraud.” And with health insurance information, hackers can sell such private data on online black markets. Thieves of such records can use the stolen information to commit medical fraud – such as receiving free medical care or buying medical equipment.

2) Ransomware Attacks are on the Rise

Perhaps no type of cyber attack has become more prevalent than ransomware.

As its name indicates, ransomware is a malicious software that infiltrates a computer or system and covertly encrypts information until appropriate users can no longer access the data. The attacker ultimately denies access, holding the system and its data hostage until the provider pays a ransom for its release.

In 2016, Hollywood Presbyterian Hospital suffered a ransomware attack that forced its employees to keep paper records for a week and send patients away to neighboring hospitals. Ultimately, Hollywood Presbyterian paid its attackers around $17,000 to regain access to their systems and data.

Another hospital in Kentucky was forced to declare an Internal State of Emergency due to a ransomware attack.

While ransomware has become prevalent across a range of industries, the risk it poses to the healthcare industry is more significant. Imagine a surgeon preparing to perform an emergency surgery, but getting denied access to the patient’s medical records before making the first incision. This scenario somewhat played out during the WannaCry / WannaCrypt ransomware outbreak when 45 National Health Service organizations in the UK were impacted by ransomware, forcing some hospitals to cancel operations and outpatient appointments.

The stakes are literally life and death.

3) Increased Use of Internet-Connected Healthcare Devices

Following the birth of the Internet of Things (IoT), the healthcare industry has made great advances in technology. IoT gave providers the ability to use connected devices to automate once-manual processes and access more and better data. Its impact can be staggering. According to McKinsey & Company, remote health monitoring could create as much as $1.1 trillion a year in value in 2025 by improving the health of chronic-disease patients

But with this great potential comes great risk.

More and more connected medical devices will help providers and patients achieve their well-being and stay healthy. But the devices themselves are susceptible to attacks like any other system, meaning the information they transmit is vulnerable, too.

There is no universal solution, however. Every web-enabled device provides it’s own cybersecurity challenge. And healthcare organizations must learn the cybersecurity risks that each and every connected device poses.

Take, for instance, St. Jude Medical's implantable cardiac devices.

These devices – such as defibrillators and pacemakers – are implanted in patients’ hearts. They help monitor and control the function of the heart, helping to protect against heart attacks.

According to the FDA, these connected devices also come with certain vulnerabilities – ones that cyber criminals could exploit. For example, an attacker could execute false pacing or shocks to a patient’s heart. They could also drain the device’s battery.

While no St. Jude patients were harmed (the medical manufacturing company has since developed a software patch to address their devices’ weaknesses), the example sheds light on the critical nature of security within the world of IoT.

How Can Healthcare Organizations Bolster Their Cybersecurity?

Considering the history of healthcare cybersecurity and its evolution, managing your security may seem overwhelming. But there are simple steps your organization can take to mitigate the risks of cyber attacks and data breaches.

We’ve detailed 10 simple things you can do to protect your organization in our very own eBook. And if you start with these steps, you can put your company on the path to improved cybersecurity. From there, you can take additional measures to further protect your information, and further protect the patients whose well-being you take in your hands.

Just click below to download your copy of 10 Simple Things to Improve Your Company's Cybersecurity Posture and start bolstering your organization.

New Call-to-action

About Matt Kozloski

Matt is the VP, Professional Services at Kelser as well as former leader of the CT VMUG. VCDX # 194, CISSP # 526947.

  • Connect with Matt Kozloski