The Growing Cybersecurity Threat in Healthcare

1. Data Breach and Exfiltration
   Medical records are among the most valuable data on the dark web. While a stolen social security number may fetch a dollar and credit card information slightly over a hundred dollars, a single medical record can be worth $250 to $1,000. These records contain rich personal data, including medical histories, insurance information, and more, making them ideal for fraud and identity theft.

2. Ransomware Attacks
   Healthcare is the third-largest target for ransomware attacks, with providers suffering an average financial impact of $9.2 million per attack. Ransomware locks healthcare data and demands payment for its release. Given the strict data retention requirements in healthcare and the need for real-time access to patient information, offline backups are rare. When an attack occurs, hospitals may have no choice but to pay, as delayed restoration can jeopardize patient care.

Key Risks in Healthcare Cybersecurity

The healthcare sector poses unique challenges due to its complex IT environment. Let’s explore the primary risks that make securing healthcare networks difficult: 

1. Third-Party Infrastructure Risks
   Hospitals rely heavily on third-party systems that they don’t control. Medical equipment like TomoTherapy systems may come with entire server racks integrated into the hospital’s network but remain under the vendor’s control. This makes them prime targets—46% of ransomware attacks last year originated from third-party breaches.

2. Antiquated Operating Systems
   Hospitals still rely on outdated technology for critical devices. For example, it’s not uncommon to see Windows XP running a mobile X-ray machine. Almost 96% of hospitals report having end-of-life operating systems in their networks, largely due to FDA regulations that limit upgrades on medical devices.

3. Reduced Barriers to Care
   In emergency scenarios, time is critical. Security protocols like multi-factor authentication (MFA) may delay doctors from accessing patient information quickly, posing a challenge to implementing zero trust principles. Healthcare systems must strike a delicate balance between security and accessibility.

4. Executive Exceptions
   Some senior healthcare professionals may receive security exemptions—for example, passwords that never expire—because they resist frequent changes. Unfortunately, these practices create vulnerabilities that attackers can easily exploit.

Resources for Cybersecurity Professionals in Healthcare

If you’re a cybersecurity professional new to healthcare, leveraging the right frameworks and resources is essential. Here are some trusted resources: 

• NIST Cybersecurity Framework: Provides a robust foundation for building a security program.
• CISA (Cybersecurity & Infrastructure Security Agency): Offers tools for protecting critical infrastructure, including healthcare.
• HHS 405(d) Task Force: Publishes valuable documents like HICP (Health Industry Cybersecurity Practices), which identifies the top five risks to healthcare and outlines 10 cybersecurity best practices.
• The Joint Commission: A healthcare accreditation body that requires regular testing of security protocols, including care continuity plans.

How Healthcare Organizations Can Strengthen Security

Healthcare employees are often motivated by a strong sense of purpose, making culture a powerful tool in cybersecurity efforts. Here are some essential actions to build a stronger defense:

1. Foster a Culture of Security Awareness: Tie patient safety and security practices together. When employees understand that data security protects lives, they become more invested in following cybersecurity protocols.
2. Increase Visibility Across Systems: Many healthcare providers struggle to understand which devices are on their networks and how they interact. Bridging the gap between IT, facilities, and biomed teams improves visibility, enabling better segmentation and isolation of systems.
3. Implement Zero Trust and Resilience Practices: MFA, immutable backups, and regular assessments of care continuity plans are essential for reducing vulnerabilities. However, only 20% of hospitals conduct red-team or tabletop exercises to prepare for attacks, showing there’s room for improvement.
4. Test, Don’t Just Assess: It’s not enough to assess vulnerabilities; hospitals must also test their defenses. Red and purple team exercises help organizations identify gaps and improve response strategies before a real attack occurs.

Conclusion: Navigating the Complexities of Healthcare Cybersecurity

Healthcare organizations face unique cybersecurity challenges, but solutions do exist. Success lies in creating a culture of security, enhancing system visibility, and encouraging collaboration across departments. With the right frameworks and practices—like HICP, CISA resources, and zero trust principles—healthcare providers can safeguard patient data and operations.

If you’re a healthcare IT professional or a healthcare organization struggling with cybersecurity, we’re here to help. Let us guide you through these complexities, ensuring that your patients—and your data—are safe. After all, none of us know when we might need these systems ourselves.