Cyberattacks on healthcare organizations continue to rise. Providers, payers, and other healthcare organizations are prime targets for cybercriminals who are looking to hold sensitive patient data hostage or steal it to commit further criminal acts. To protect this data and maintain compliance with strict government regulations, many organizations are ramping up security investments and working to strengthen strategies.
How can your organization better defend itself from a growing number of threats? Surveying the threat landscape, regulatory requirements, and best practices can help you start building a more effective IT security plan.
There is no doubt that the number of cyberattacks against healthcare organizations is increasing. According to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), there was a 256% rise in large breaches involving hacking and a 264% increase in ransomware attacks in the five years leading up to 2024. Organizations in the healthcare sector continue to be targeted by cybercriminals more than organizations in many other fields.
Why are healthcare organizations such prime targets? They have valuable data, multiple access points, and vulnerable systems.
Medical and billing records contain highly sensitive personal information that hackers can steal and sell. The names, addresses, birthdates, social security numbers, and other vital information in these records can be used for identity theft and fraud. If data theft is not part of the plan for a particular attack, the attackers still know that holding patient data hostage and disrupting operations can spur healthcare organizations to pay large ransoms quickly.
Unfortunately for healthcare organizations, cybercriminals have multiple ways to access patient data. Healthcare organizations often have complex networks with many access points. For example, a hospital might need to enable some level of access to essential information by clinicians, administrators, and patients. Some of the clinicians might require remote access while using tablets and mobile devices. At the same time, the hospital might have to support a wide array of connected systems, from medical imaging systems and cloud-based archiving environments to Internet-of-Things (IoT) medical devices, mobile devices, and wearables. All of the connected systems and devices are potential network entry points for attackers.
Attackers are also good at finding vulnerabilities in legacy systems and outdated software. Many healthcare organizations use systems and software longer than they should because of the high costs of replacing them. Meanwhile, technology vendors might not issue frequent updates or patches to address the latest cyber threats. Attackers see those legacy technologies as opportunities that are just waiting to be exploited.
Though healthcare organizations can be subject to a full array of threats, they are most frequently attacked with ransomware since that type of attack can yield the largest monetary returns.
Ransomware is malicious software that encrypts data, preventing authorized users from accessing it. Attackers demand ransom in exchange for providing the decryption key. As ransomware attacks have evolved, attackers have often added threats, for example, threatening to steal and sell sensitive data or to attack partner organizations.
Ransomware attacks often start phishing schemes. In the most common version of a phishing scheme, attackers send employees an email or message containing a link to a spoofed website. Employees are asked to enter their login credentials. If they do, the attackers can steal those credentials and use them to access the enterprise network. Once the attackers are in, they can release ransomware that spreads across systems, encrypting data or otherwise locking out users.
In some cases, attackers do not have to dive deep into enterprise networks to access personal health data. For example, if they manage to steal a laptop, smartphone, or tablet used by a healthcare organization’s employee, attackers might be able to extract patient data directly from the device.
Cyberattacks can have tremendous, long-lasting effects on healthcare organizations and patients.
The financial costs of a data breach can be devastating for healthcare organizations. If organizations are subject to a ransomware attack, they might first need to pay millions in ransom to regain access to their data. They will then need to recover data and restore systems, conduct thorough investigations, and implement additional security measures. They might also need to pay regulatory fines, and they could face lawsuits from patients harmed as a result of the attack.
During attacks, hospitals and other providers could lose revenues from canceled procedures or missed appointments. Breaches could also damage their reputation and diminish trust among patients and partner organizations. As a result, attacked organizations could face longer-term revenue losses.
Meanwhile, cyberattacks could put patient lives at risk. If a ransomware attack forces a healthcare provider to take systems offline, patients might be unable to communicate with doctors, fill prescriptions, have procedures, or receive emergency care. They could suffer immediate and long-term consequences to their health.
Over the past three decades, key laws in the United States have attempted to improve data security and data privacy in the healthcare industry. Those laws have provided guidance for how to best safeguard sensitive information while also establishing financial penalties for non-compliance.
Protecting sensitive patient data and maintaining privacy were among the main goals of HIPAA (the Health Insurance Portability and Accountability Act of 1996). Its Privacy Rule clearly defines protected health information (PHI) and sets standards for keeping it private. The rule restricts how and when PHI can be disclosed without an individual’s authorization and establishes an individual’s rights to PHI. The HIPAA Security Rule defines ways healthcare organizations should protect patients’ PHI and electronic PHI (ePHI).
The HITECH Act of 2009 builds on HIPAA, strengthening its provisions for security and privacy. It also incentivizes adoption of new technologies in healthcare. Specifically, HITECH mandates that providers implement and demonstrate meaningful use of electronic health records (EHRs) to maintain their existing Medicaid and Medicare reimbursement levels.
At the same time, HITECH expands the reach of HIPAA to the business associates of covered entities. Furthermore, it raises penalties for violations and includes new notification provisions for incidents that result in PHI breaches.
Several states have enacted additional data privacy laws that apply to healthcare organizations. The most prominent among them is the California Consumer Privacy Act of 2018 (CCPA). This law was designed to give consumers more control over personal information that businesses collect about them.
Patient information defined as PHI by HIPAA is exempted from the CCPA. However, other health-related information collected by organizations is subject to CCPA rules. So, for example, if a for-profit healthcare organization collects information about California citizens visiting its website, that non-PHI data must be protected under the CCPA.
Protecting sensitive data and maintaining privacy requires a multi-faceted cybersecurity strategy that should include a few essential best practices.
Employees play a vital role in protecting sensitive data, especially because they are often inadvertent vectors for attacks. Educating employees on how to identify phishing attempts and ransomware infections can help your organization detect and defeat attacks early. Employees should know what to look for and who to contact if they experience anything suspicious. Running occasional phishing tests could help you determine if employees are sufficiently trained.
Employees should also understand the importance of following security policies. For example, they should create strong, unique passwords that cannot easily be guessed by humans or machines. They should know ways to protect their devices from theft. Furthermore, they should avoid copying data to removable media or cloud environments, and refrain from forwarding sensitive information by email.
Implementing role-based access controls can help stop attackers from invading company networks. Even if attackers manage to steal authorized user credentials, those attackers will not be able to delve any deeper into your network than the user could. Similarly, network segmentation can help restrict lateral movement of attackers or malware through your environment.
Cybercriminals are continuously searching for vulnerabilities in operating systems, applications, and security solutions. Keeping all software up to date can help you prevent attacks. When conducting updates and patching, make sure you reach all systems. A single unpatched system could enable an attacker to access your entire network.
Healthcare organizations must also implement a range of technical controls and security solutions to protect data and maintain compliance.
There are several types of tools that can stop malware and viruses from reaching your most sensitive information. For example, antivirus and anti-malware software can help find and stop ransomware and malware on employee computers before attacks reach the enterprise network. Firewalls and intrusion detection systems scan the network for threats and block them from penetrating corporate systems.
Using multi-factor authentication (MFA) adds another important layer of defense. Instead of relying solely on usernames and passwords, MFA requires users to employ an additional means of authentication, such as a USB key or facial recognition capabilities. With MFA, you can halt attackers from accessing the network even if they have stolen credentials.
Implementing robust access controls is critical for protecting sensitive information while still enabling authorized users to work with the data they need. Employing role-based access controls using the principle of least privilege access gives authorized users the minimum permissions they need to do their job. This approach can prevent lateral movement of attackers and malware through the network: An attacker with stolen credentials can access only what the authorized user could access and nothing more.
Data encryption is another essential means of protecting sensitive patient information. By encrypting data in transit and at rest, you can prevent attackers from using that information even if they find a way to access it. Without the decryption key, attackers will be unable to read data.
Backing up critical data should be a component of any IT security strategy. If you can maintain a complete, up-to-date, and unchangeable copy of your data, you might be able to refuse attackers’ demands for ransom during a ransomware attack. The threat of encrypting or destroying your data will have little weight.
Disaster recovery and business continuity strategies help accelerate the return to normal business operations after an attack. With a complete copy of data in an offsite location, for example, you could restore that data to clean systems and resume operations. Using completely redundant systems could let you failover to the secondary environment and completely avoid disruptions.
Having an incident response plan in place before an attack hits is crucial for minimizing disruptions and mitigating damage.
Your incident response plan should be thoroughly documented. All roles and responsibilities should be clearly defined, so your team can spring into action when necessary.
The first step in your plan should be to contain the attack. If you are attacked with ransomware, for example, you need to isolate systems by severing the connection between them and the rest of the network. You then need to determine the extent of the infection, identify and remove any malware, and restore backed up data to clean systems.
Beyond documenting the plan, you should test it periodically. It’s better to identify problems with your plan during a test, and correct them, than to experience them for the first time during an actual attack.
Your organization must have a plan to notify individuals affected, the Secretary of the Department of the HHS, and—in some cases—the media. To comply with regulations, your notifications must follow particular timelines and include a range of information. For example, you need to notify individuals within 60 days of discovering a breach. You must tell those individuals what happened, what information was exposed, and what steps you are taking to investigate the breach and mitigate damage.
Healthcare organizations do not operate in isolation. Your organization probably uses technologies from a variety of vendors, and you no doubt share information with other providers and payers. Unfortunately, any one organization’s vulnerabilities can leave all organizations at risk.
Consequently, your IT security strategy should incorporate processes for vetting vendors and evaluating their cybersecurity practices. Requiring HITRUST certification is one way to help ensure that they have sufficient controls in place to protect sensitive information. Conducting periodic vendor audits and risk assessments can help you spot potential gaps in security. Finally, establishing formal agreements that require security controls can help underscore the importance of security and define responsibilities.
Given the alarming rate of large-scale attacks on healthcare organizations, strengthening your IT security strategy should be a top priority. In many cases, healthcare organizations benefit from working with external, healthcare-focused security consultants and managed service providers (MSPs). These experts can help you find and address potential gaps in your current strategy, and implement the capabilities you need to better protect sensitive information while maintaining regulatory compliance.
Ready to strengthen your IT security strategy? Contact us to set up a free consultation.