Cybersecurity in Healthcare: Protecting Over 187 million Lives from Cyber Threats

In today's rapidly digitalised world, cybersecurity has become a crucial problem in all businesses, but nowhere is it more critical than in healthcare. The mechanisms that have altered patient care, resulting in tremendous advances in medical treatment, have also introduced substantial hazards.

Healthcare organisations are now ideal targets for hackers, attracted by the massive amounts of sensitive data they contain.

The impact of cyberattacks on healthcare is staggering, affecting over 187 million lives just from the reported ones in US below and costing more than $238 million in the last decade alone. With this article, I want to discuss the common risks related to cybersecurity confronting healthcare organisations, the most prominent breaches to date, and the steps that organisations must take to protect their systems and patients.

Several organisations in our region have been hacked, however companies prefer not to publicly disclose the details of what happened. Just the ones I know in person are more than five major healthcare organisations that had to pay the hackers in the end. Patient care is jeopardised, and a massive amount of data is at stake.

The growing problem of cybersecurity in healthcare

Healthcare organisations are particularly vulnerable to cyberattacks for a variety of reasons. The growing digitisation of services has increased areas of attack, while the interconnection of medical devices in numerous locations complicates safeguarding these systems. Further complicating these issues is a rising shortage of cybersecurity skills, making it difficult for healthcare institutions to maintain strong defences. Furthermore, the sheer volume and value of data stored in healthcare systems—ranging from protected health information (PHI) to financial and personally identifying information (PII)—make these organisations highly attractive targets for hackers. Healthcare is particularly appealing to cybercriminals due to the vast amount of data that may be exploited or sold on the dark web. Stolen health records can fetch up to ten times as much as stolen credit card details, making healthcare hacks particularly appealing.

The financial consequences of such breaches are considerable, with the average cost to remediate a healthcare breach being $408 per stolen record, compared to $148 each stolen non-health record.

However, the ultimate cost goes far beyond dollars and cents; cyberattacks in healthcare can endanger patient safety, interrupt treatment delivery, and damage trust in healthcare organisations.

The most significant cyberattacks in healthcare

The following are some of the most significant hacks in healthcare in recent years, demonstrating the enormous damage these breaches may cause:

1. In 2023, HCA Healthcare experienced a third-party storage breach that exposed personal information for 11 million patients in 20 states. The leaked data includes names, email addresses, birth dates, and other personally identifiable information (PII), prompting many class-action lawsuits.

2. Medibank (2022): Russian hackers associated to the REvil ransomware gang stole data from 9.7 million users, including prominent Australian politicians. The stolen data includes patient names, birth dates, Social Security numbers, and medical records. Medibank refuses to pay a $10 million ransom.

3. In 2022, a ransomware assault affected 3.3 million patients in Southern California. The breach exposed sensitive information such as Social Security numbers, diagnosis and treatment information, and Medicare ID numbers.

4. In 2023, Cerebral, a telehealth provider, installed tracking pixels from major tech companies on their applications, potentially exposing PHI to third parties. This hack affected 3.1 million patients and was a severe HIPAA violation.

5. Shields Health Care Group (2022): A cybercriminal got unauthorised access to IT systems, compromising the PHI of nearly 2 million Massachusetts patients. The compromise impacted management and imaging services for around 50 healthcare providers.

6. Advocate Aurora Health (2022): Improper use of Meta Pixel on patient portals exposed data from 3 million patients in Wisconsin and Illinois. This hack sparked concerns about the widespread use of tracking pixels in healthcare.

7. In 2016, hackers gained access to sensitive patient data by breaching Banner Health's food and beverage payment processing system using malware. The intrusion went unnoticed for nearly a month and affected 3.7 million Arizona patients.

8. In 2015, 3.9 million patients' data in Indiana was hacked due to a brute force assault, SQL injection, and malware, as reported in Medical Informatics Engineering. Hackers gained access to the company's network by using easily guessable login credentials.

9. Advocate Medical Group (2013): A series of breaches, involving physical theft of desktop computers, resulted in the exposure of 4 million patient records in Illinois. The stolen information contained patient names, credit card numbers, and health insurance information.

10. In 2014, an advanced persistent threat group from China breached Community Health Systems' network, exposing personal information of 4.5 million patients in 29 states.

11. Excellus Health Plan, Inc. (2015): A breach in 2013 jeopardised the data of 10 million New York clients. Although the data was encrypted, hackers acquired access to administrative controls, rendering the encryption worthless.

12. UCLA Health (2014-2015): Hackers compromised systems containing health information, affecting 4.5 million California patients.

13. In 2014, a phishing email caused a breach affecting 11 million patients in Washington State, resulting in a $74 million settlement.

14. In 2018, the American Medical Collection Agency's internet payment interface was hacked, exposing patient data for at least 21 million individuals. The breach resulted in the company's bankruptcy and a $21 million settlement.

15. In 2015, Anthem, Inc. experienced the greatest healthcare hack in history, resulting in the theft of approximately 79 million records through phishing and malware. Anthem's payments for the breach totalled $115 million.

16. In 2024, a ransomware attack by the BlackCat/AlphV group affected one-third of the US population. The organisation paid a $22 million ransom.

17. In 2023, Community Health Systems was targeted again by the ClOP ransomware group, affecting 1 million patients, following a breach in 2014.

18. MCNA Dental (2023): The LockBit ransomware gang exposed 8.9 million patients' data, resulting in various lawsuits in the US.

Managing cybersecurity risks in healthcare

Given the serious threats presented by cyberattacks, healthcare organisations must adopt a proactive cybersecurity strategy. Here's how senior executives may prepare their organisations:

• Make cybersecurity a strategic priority by integrating it into the hospital's risk management and governance structures. It's more than just an IT problem; it's a patient safety issue and an essential component of providing high-quality treatment.

• Designate a full-time leader with the necessary authority, position, and independence to spearhead successful cybersecurity programs. This leader should regularly brief the senior management team on the organization's cyber risk profile and mitigation plans.

• Invest in Incident Response Capabilities: Healthcare organisations should constantly enhance their incident response capabilities. This includes preparing for worst-case scenarios, including as ransomware attacks, and ensuring that the organisation can continue operations while protecting patient safety during a cyber event.

• Establish a cybersecurity culture that complements the organization's patient care culture. Employees should be trained to perceive themselves as proactive defenders of patient data, and frequent cybersecurity threat and best practice training should be required.

• Maintain robust Technical Controls: Secure all systems, including electronic health records and medical equipment, using up-to-date software, robust authentication mechanisms, and encryption. Conduct regular audits on these systems to discover and address vulnerabilities.

• Prioritise compliance with HIPAA and other requirements to avoid harsh penalties. This involves safeguarding patient data, maintaining privacy, and ensuring that all cybersecurity measures adhere to regulatory norms.

• Improve Third-Party Security: Healthcare organisations frequently use third-party vendors, which might pose extra vulnerabilities. Ensure that all third-party providers follow tight security protocols, and frequently monitor their compliance with these standards.

• Don't forget to educate your patients and stakeholders, who are in regular communication with your institution. Hackers will send similar emails and other forms of communication to obtain their data or money. You do not want to be blamed by your loyal patients.

Cybersecurity in healthcare is a continuing battle that requires constant awareness, commitment, and a comprehensive strategy that includes all levels of the organisation. The stakes could hardly be greater, with healthcare breaches affecting over 187 million lives and causing financial losses of over $238 million. Healthcare organisations may safeguard their patients, data, and reputation from cyberattacks by elevating cybersecurity to a strategic priority, cultivating a culture of proactive defence, and establishing strong technical controls. The need to act is now, before the next major breach puts more lives in danger.

References:

1. https://www.who.int/news-room/questions-and-answers/item/cyber-attacks-on-critical-health-infrastructure

2. https://www.terranovasecurity.com/blog/most-dangerous-healthcare-cyber-attacks

3. https://arcticwolf.com/resources/blog/top-healthcare-industry-cyberattacks/

4. https://www.aha.org/center/cybersecurity-and-risk-advisory-services/importance-cybersecurity-protecting-patient-safety