The healthcare industry is a prime target of hackers. The importance of cybersecurity in healthcare is an essential consideration for all organizations handling patient data.
Be aware of the latest numbers; read our article on the latest Healthcare Cybersecurity Statistics.
Healthcare Data Breaches, By the Numbers
1. 89% of healthcare organizations experienced a data breach in the past two years. Despite the sophisticated measures put in place by providers to prevent data breaches, they are still common. (Source: Dizzion).
2. A Mid-Horizon study concluded that approximately 100 percent of web applications connected to critical health information is vulnerable to cyber attacks. Network penetration results also showed that hackers could easily access domain level admin privileges of most healthcare applications. As a result, the use of advanced technologies such as block-chain and cloud computing is necessary to ward off such attacks in the future. (Source).
3. It is estimated that the loss of data and related failures will cost healthcare companies nearly $6 trillion in damages in the next three years compared to $3 trillion, in 2017. From a statistical point of view, it is the most significant transfer of wealth in human history. If proper security measures are not taken, experts believe that cybercrime can have a devastating financial impact on the healthcare sector in the next four to five years. (Source).
4. 82% of surveyed healthcare organizations agree that digital security is one of their foremost concerns. (Source: Health IT Security)
5. 55% of healthcare companies in the United States faced cyber attacks. Almost one-fifth confirmed that they had been attacked in the last 12 months. (Source).
Learn more about data breaches in our guide What Is a Data Breach.
Healthcare Ransomware Statistics
Ransomware has brought many a healthcare organization to its knees. It is likely to remain one of the most prominent threats of 2019 and beyond. Despite increasing awareness among healthcare professionals, the number of ransomware attacks continues to grow.
6. Ransomware attacks on the healthcare sector will quadruple by 2020. Attackers like to attack the healthcare sector due to the potential value of such data. The healthcare sector is prone to paying the ransom because the disruption, lost productivity, and damage to the data can be more expansive than preventing the loss by paying the ransom. (Source: Herjavec Group Healthcare Report)
7. As of 2018, the number of ransomware families dropped from 98 to only 28. However, there were 350 different variants of ransomware observed in 2018 compared to 241 in the previous years. It means that ransom-takers are using more sophisticated tactics to hack into vulnerable systems. (Source)
8. Healthcare organizations are more willing to pay ransom to avoid downtime and gain access to critical patient data. It is estimated that 23 percent of healthcare organizations paid some form of payment to the attackers. The healthcare industry is vulnerable because it uses legacy systems that are mostly out-dated and vulnerable to attacks. (Source: Infosecurity Magazine)
9. Organizations that handle healthcare data that fail to update their systems may face grave consequences in the future. The majority of healthcare ransomware attacks were malware related. Of the 2,600 incidents reported, 36 percent were malware related followed by accidental disclosure in 26 percent of the cases. (Source: Beazley Breach Briefing)
Read about CommonSpirit Health Ransomware Attack one of the most notable cybercrime incidents of 2022.
Implementation of Advanced Security Technologies To Fight Back
10. The nature of cybersecurity spending in the healthcare sector varies significantly due to the specific requirements of organizations. A majority of companies are spending their budgets on network security and investing in mobile protection measures. Another 51% are also spending on advanced technologies that will make data on the move more secure during data transfers. (Source: HIPPA Journal)
11. A large number of healthcare firms are migrating to a cloud-based solution. Despite the safety as their prime concern, 25% of the firms suggest that they are not encrypting their information during data transfer to the cloud. 38% of firms that have data in a multi-cloud environment such as Amazon Web Service does not use encrypted technology. (Source: Hytrust)
12. 60% of healthcare organizations globally have introduced IoT devices into their facilities. The Internet of Things has seen an exponential rise in the use of IoT enabled devices in a range of fields. Wearable and implantable IoT devices are already widely used in healthcare, including insulin level monitors to pacemakers. (Source: Statista)
Cybersecurity IT Talent: Human Weakness
We tend to think of cybersecurity as a system of digital checks and balances. But while this is important, organizations should still consider the human component. Even if you’re spending heavily on automated systems, it means little if you don’t have the right people to implement and manage them.
13. 42% of healthcare organizations leave their cybersecurity in the hands of a vice president or C-level official (Source: Chime).
14. 39% report their biggest challenge when it comes to implementing cyber defenses is the lack of qualified employees (Source: HIPAA Journal).
15. 37% say that less than 1 in 4 candidates are skilled enough to keep their companies secure (Source: Health IT Security).
16. Cybersecurity requires specific knowledge and skills to secure and combat attacks. Often, these skills are not easy to find as 27 percent of healthcare firms reported that they are unable to find suitable candidates to fulfill cybersecurity roles. Another 14 percent suggested that they are not sure if they will be able to fill vacant positions. The ISACA State of Cyber Security Report also concluded that 45 percent of firms don’t think that their applicants understand the nature of their job (Source).
17. If the budget doesn’t restrict healthcare firms to improve their security, the complexity of the system does. 53 percent of the healthcare firms surveyed revealed that complexity of healthcare systems is the major issue holding them back. Healthcare systems can be complicated as lack of experienced and knowledgeable staff to handle such complex systems is another significant concern, cited by 39 percent of firms (Source: Thales Data Threat Report).
18. For small and medium-sized healthcare firms, cloud adaption is a haven from cyber attacks. Despite the early adaption of cloud-based technology by the healthcare sector, nearly 40 percent of these organizations do not have a dedicated staff that can deal with cloud-based problems. Without a dedicated team, small healthcare organizations can face threats while operating in a cloud environment. (Source: HIPPA Journal)
19. The most significant internal cybersecurity threats to healthcare are often high-ranking officials and senior staff who have deep access to the system. A whopping, 61 percent cited senior-level executives as a potential security loophole that can be vulnerable to cyber threats. Similarly, privileged users, such as executive managers, contractors, and service providers, are potential targets for hackers and cybercriminals. (Source: HIPPA Journal)
20. 59% of healthcare organizations get at least five applications for each cybersecurity job, while 13% receive 20 or more. While these healthcare security statistics make for sobering reading, there is some good news. The right candidates do appear to be out there. (Source: Health IT Security).
21. 54% of healthcare associates say their biggest problem is employee negligence in the handling of patient information (Source: Ponemon Study).
Healthcare Companies are Fighting Back
21. Healthcare organizations are taking cyber security seriously as 62 percent of companies have reported that a Vice President is in charge of cybersecurity issues. 41 percent of organizations are in the process of implementing a fully functional security program to address critical problems. (Source: Health IT Security)
22. Recent attacks on healthcare have prompted healthcare companies to increase their cybersecurity budgets from a maximum of 10 percent to almost 25 percent, in 2018. The increase in the budget is correlated to an increase in hiring staff for a specific purpose. In 2016, eight percent of the healthcare companies had more than 10 employees dedicated to the task, which increased to 11 percent, in 2017. (Source: Health IT Security)
23. In 2018, 60 percent of these firms put particular emphasis on cybercrime by increasing their staff, adding new technologies, and training their employees on such issues. Cybersecurity budgets continue to grow as 81 percent of U.S. firms indicate that they will improve their resources to keep critical systems safe. (Source: Healthcare IT News)
24. 57 percent of companies are ensuring that they meet local and global compliance standards of Internet security required in the healthcare sector. Of these, 34 percent confirmed that they are already looking to implement cybersecurity best practices for employees. (Source: HIPPA Journal)
25. Security breaches caused by the loss of sensitive items, such as laptops and other devices, have decreased sharply. While loss or theft of items accounted for nearly 90 percent of the losses in 2010, it has reduced to only 15 percent, in recent years. This is a clear sign that educating employees to take care of their data devices is critical to preventing incidents of theft. (Source)
26. 54% of healthcare organizations believe they have technologies in place to effectively prevent or quickly detect unauthorized access to patient data. An improvement over the 49% reported in 2015. (Source: Ponemon Institute)
27. 19 petabytes of data across 29,000 instances of databases are exposed. This is a finding of 2021 research that looked into database security. (Source: Cybernews research)
5 Largest Healthcare Cyber Security Attacks & Breaches
Here are some of the most significant healthcare data breaches. What can your organization learn to avoid being the next victim?
1. LifeBridge Health
This Baltimore-based healthcare system experienced a malware attack last March. The attack potentially breached the data of around 500,000 patients. Investigations showed that the hackers first gained access to the system back in September 2016.
2. Health Management Concepts
This ransomware attack fast became a full-blown data breach. Hackers were mistakenly provided with a file containing the personal data of over 500,000 patients.
The organization has not disclosed how or why hackers got this information, but the file contained Social Security numbers, health insurance information, and patient names.
3. CNO Financial Group
Between May and September of last year, hackers gained access to the credentials of CNO employees. This information was then used to access company websites, compromising the data of over 566,000 policyholders and applicants.
Data accessed included dates of birth, insurance details, and partial Social Security numbers.
4. UnityPoint Health
UnityPoint suffered two security breaches last year. The second compromised the data of 1.4 million patients.
A series of phishing emails had been made to look like they were from a top executive within the company. When an employee fell for the scam, it gave hackers access to private email accounts.
The data breach of billing vendor AccuDoc was the biggest of last year. The North Carolina-based vendor prepares patient bills while managing Atrium Health’s billing system. The investigation revealed that while hackers could view the data, they were unable to extract it.
Don’t Become a Healthcare Security Statistic
From these healthcare statistics, it is apparent that there has been an increased awareness among healthcare companies regarding cybersecurity. Despite the response, more needs to be done. All types of hacking attacks are also becoming more sophisticated and the data loss more costly. Solutions start with awareness, updating and maintaining critical systems, and emphasis on security during data transfer.
Work with our team of security professionals and ensure that your employee and patient data is secure.