By nature, healthcare involves collecting and storing a large amount of personal and potentially sensitive data from patients. Every appointment, prescription and consultation is on file, and healthcare providers are instructed to be as detailed as possible in patient records. This medical data has been protected by federal law since the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996.1
With the rise of electronic health records, though, patient information is more vulnerable to cyber attacks. Healthcare data breaches compromise patients’ privacy and confidential information about their health, demographics, diagnoses and treatments. In addition, cybersecurity failures put a medical practice at risk for violating HIPAA compliance and have the potential to harm a physician’s or institution’s professional reputation.
Keep reading to uncover common cyber threats to healthcare and find ways to protect patients’ data.
Healthcare Cybersecurity Threats and Risks
DDOS attacks flood a computer network or server with requests, which slows the system down or even makes it inoperable.3 For a hospital, this can delay patient admission processes and patient care.
With ransomware, hackers can disable medical devices like diagnostic tools and administrative systems, shutting them down so patients can no longer be treated properly.4 Most of these security breaches are aimed at collecting protected health information for identity theft and other purposes, but they have other, larger consequences on medical systems, patient safety and care delivery as well.5
Regulations and Compliance
While HIPAA was passed before healthcare organizations primarily stored data electronically, the law is regularly updated to reflect changes in data storage and management. Multiple changes to the law were made in 2020 to cover electronic health records, along with how patients could manage their personal health information themselves.6 Another overhaul is slated for the end of 2023, meaning healthcare agencies and anyone working on cybersecurity in this field should be familiar with the new regulations to avoid falling out of compliance.7
Despite its hypervigilance in certain areas, the United States does not have an all-encompassing cybersecurity law. There are industry-wide federal regulations, including HIPAA and similar standards in the financial industry, but each state sets its own privacy and security policies.8
To remain in compliance with statewide and federal data privacy regulations, healthcare agencies should have rigorous cybersecurity systems in place and conduct regular audits of them. They can also have a designated person on their IT and cybersecurity team who keeps track of regulatory updates and plans for these potential changes.
Securing Electronic Health Records (EHRs)
To protect private patient data, healthcare professionals must secure their patients’ electronic health records (EHRs).9 These platforms contain identifying personal information like their name, address and date of birth. They also include a list of all diagnoses and notes from every medical visit.
Medical professionals should choose an EHR platform that is up to date, compliant with the latest regulations and conducts risk assessments regularly. They should regularly audit current processes and equipment and look for potential security threats, including insider threats. Insider threats are breaches that occur when someone on a company’s staff improperly accesses or shares data, whether it’s on purpose or not. Cybercriminals often target healthcare workers or third-party vendors because of the ability to manipulate human services that aren't usually trained in cybersecurity defenses.10
Healthcare practitioners working with electronic protected health information need access controls, such as adding locks to server rooms and other devices in which sensitive data is stored.11 They can protect electronic data with encryption and firewalls. Finally, each agency should back up critical systems and make sure to have data management protocols in place to limit non-essential access to patient data.
Network Security for Healthcare Facilities
With the rise of remote work and telehealth, healthcare professionals may be operating on a cloud-based network on which their devices are connected through virtual routers, firewalls and network management software instead of through a physical server. Their patients may also use connected medical devices such as insulin pumps, heart rate monitors and mobile devices that access EHRs. These systems are also vulnerable to ransomware and other malware attacks.
Healthcare cybersecurity professionals can protect data while allowing remote work by creating a security-based culture.12 They should make sure each employee knows cybersecurity protocols, and keep updating them as needs evolve. To protect their network from attacks through mobile and medical devices, each device or app should be encrypted. Healthcare workers and employees should lock their workstations when stepping away from them, never share their passwords and only share EHRs and other sensitive data through encrypted platforms. Clear protocols and frequent training can help make each healthcare organization less susceptible to ransomware and other attacks.13
When a staff member’s term of employment ends, the IT team can prevent unauthorized access to networks by promptly disabling the departing person’s accounts within the business or practice and confiscating laptops, mobile devices and other company property.
Data Breach Response and Handling Security Incidents
For a more proactive approach, a healthcare organization’s cybersecurity team should set up data recovery and breach response protocols and procedures before a breach occurs. Standard procedures help ensure that the team knows what to do if they discover a breach, including how to communicate information about the breach to healthcare agency staff and patients.
These types of information security rules are usually led by a chief information officer or chief information security officer. The cybersecurity team should keep a hard copy of these procedures and store them in multiple locations in case IT workers cannot access the server.14 These protocols should include steps to secure systems and fix issues that may have led to the breach.
If necessary, an agency may need to hire forensic investigators and other professionals to investigate the breach and develop a strategy to get your operating systems back to normal.15 A forensic team can talk to the people who discovered the breach and get an idea of its potential depth. The healthcare agency may also need to set up a crisis team or dedicated hotline to field patient questions.
Cybersecurity Training and Awareness
Frequent training is key to minimizing cybersecurity risks. Cybersecurity training is a must for healthcare agencies’ onboarding process, and they should offer occasional refresher lessons for employees at various times throughout the year.
Another way for healthcare agencies to be proactive is to stay on top of new potential threats to patient privacy, such as phishing and smishing, and train employees as these threats pop up. Phishing is a ruse in which a cybercriminal sends an email that appears to be reputable asking someone to enter their username and password or give them access to confidential information. Smishing is the same type of scam, only the cybercriminals use text messages to try to access the information. Employees should be up to date on these risks, social media scams and other ways hackers could try to access sensitive patient data.
Healthcare agencies should strengthen their culture of security by hiring an information security officer and regularly updating their team about the importance of cybersecurity.16
Recent Healthcare Cybersecurity Incidents
In 2022, Australian insurer Medibank fell victim to a ransomware attack that compromised personal health information for 9.7 million people.17 The breach is believed to be due to the theft of a high-level employee’s credentials.18
Medibank chose not to pay the money the cyber criminals demanded to put the system back online. The company had security protocols in place to recover its data. However, Medibank could suffer financial losses from class action lawsuits filed by patients who were angry over the theft of their medical records. This incident could have been prevented by educating employees about phishing scams and encouraging them never to share their personal data with anyone, even in circumstances that seem entirely innocent.
Third-Party Vendor Risk Management
Many healthcare facilities may be using third-party vendors for EHRs, medical devices and other aspects of the business. In looking to hire contractors, vendors and other partner companies, savvy security managers seek out organizations that are strongly committed to cybersecurity, know how to prevent scams and regularly update their own systems to protect sensitive data.
Healthcare agencies should investigate each potential vendor’s security protocols and preparation before doing business with them. They can conduct risk assessments of potential vendors before signing a contract.19 This process can be time-consuming, but it helps mitigate the risk of security breaches.
If a healthcare agency has a risk management team on staff or a legal department, this team should look over all contracts with third-party vendors to identify potential risks.
Emerging Technologies and Cybersecurity
New technology, such as the Internet of Things (IoT), has the potential to improve the healthcare industry. IoT helps power interconnected devices, including wearable devices and other smart medical devices that may be used for diagnostics.
Because IoT devices connect to a healthcare organization’s main system, they pose security threats.20 Healthcare IT professionals need to learn more about potential risks and evaluate the pros and cons of using new technology before widespread implementation.
Agencies may also use technology for telemedicine to conduct patient visits online. Telehealth platforms might be vulnerable to cyber attacks, which could compromise patients' sensitive information. If they’re using new technology, they need to perform a risk assessment and put procedures in place to identify and respond to data breaches.
Train to Fight Cyber Threats in the Healthcare Industry
If you’re ready to be part of the exciting world of cybersecurity for healthcare organizations, Yeshiva University's Katz School of Science and Health offers a comprehensive Online MS in Cybersecurity. Our top-ranked curriculum will prepare you for a career in this fast-growing field. Take advantage of courses from faculty with decades of IT experience and train to engage with new technologies such as AI and IoT.
Talk to an admissions outreach advisor to learn more about our program.
- Retrieved on December 12, 2023, from hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
- Retrieved on December 12, 2023, from umbrella.cisco.com/info/cybersecurity-threat-trends-report
- Retrieved on December 12, 2023, from healthtechmagazine.net/article/2019/06/cryptomining-threats-grow-stronger-healthcare-organizations
- Retrieved on December 12, 2023, from aha.org/center/cybersecurity-and-risk-advisory-services/importance-cybersecurity-protecting-patient-safety
- Retrieved on December 12, 2023, from techcrunch.com/2023/11/13/mclaren-cyberattack-millions-patients-ransomware/
- Retrieved on December 12, 2023, from hipaajournal.com/new-hipaa-regulations/#newhipaaregulationsin2023
- Retrieved on December 12, 2023, from hipaajournal.com/hipaa-updates-hipaa-changes/
- Retrieved on December 12, 2023, from itgovernanceusa.com/federal-cybersecurity-and-privacy-laws
- Retrieved on December 12, 2023, from revolve.healthcare/blog/patient-consent-and-digital-health-data-in-gdpr-and-hipaa-context
- Retrieved on December 12, 2023, from healthcaredive.com/news/cyber-attacks-healthcare-scale-increase-critical-insights/691478/
- Retrieved on December 12, 2023, from ncbi.nlm.nih.gov/pmc/articles/PMC5522514/
- Retrieved on December 12, 2023, from healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf
- Retrieved on December 12, 2023, from himss.org/resources/taking-steps-prevent-rise-ransomware-attacks-healthcare
- Retrieved on December 12, 2023, from ftc.gov/business-guidance/resources/data-breach-response-guide-business
- Retrieved on December 12, 2023, from medpro.com/building-a-strong-security-culture-healthcare
- Retrieved on December 12, 2023, from healthitsecurity.com/features/tackling-third-party-risk-management-tprm-challenges-in-healthcare
- Retrieved on December 12, 2023, from upguard.com/blog/what-caused-the-medibank-data-breach
- Retrieved on December 12, 2023, from reuters.com/business/finance/australia-regulator-asks-medibank-set-aside-167-mln-after-data-breach-2023-06-26/
- Retrieved on December 12, 2023, from ncbi.nlm.nih.gov/pmc/articles/PMC7004290/
- Retrieved on December 12, 2023, from cdotrends.com/story/17594/iot-security-giving-healthcare-heart-attacks