The healthcare industry continues to embrace new technologies, which has positively impacted the care of patients. Artificial intelligence, machine learning and big data analytics assist with solutions to enhance healthcare delivery for remote patient monitoring, personalized medicine and early disease detection, to name a few. While these advancements help provide better overall health outcomes, there is a side effect of increasing the attack surface for threat actors to gain access to patient healthcare data.
Over the past few years, the healthcare sector has faced increased cybersecurity threats and severe data breaches. Statistics from the past two years paint a blunt picture of healthcare organizations’ challenges in protecting sensitive patient information in an evolving threat landscape.
A Surge in Data Breaches
2023 set a record with 725 reported data breaches, exposing over 133 million patient healthcare records. This increased from previous years, highlighting the growing occurrence of cyberattacks targeting healthcare institutions. Through 2024, approximately 500 reported breaches of PHI data occurred, with over 350 of those breaches being healthcare providers. According to the US Department of Health and Human Services (HHS), over 60 million records were exposed in 2024, with the majority of these being the result of hacking and IT incidents.
One recent notable incident impacted Change Healthcare. In February, they experienced a cyber incident called aLPHV – also known as the BlackCat ransomware group. BlackCat stole six terabytes of data including sensitive personal information. Threat actors compromised credentials to remotely access a Change Healthcare Citrix portal.
Change Healthcare reported only 500 records to the HHS Office of Civil Rights (OCR) Breach List. But the reality is, this incident impacted over four terabytes of data that was exfiltrated, representing PHI for ~ 100 million patients.
The Impact of Hacking and Ransomware
The number of ransomware incidents in the U.S. has risen 18% in 2023, and the healthcare industry topped the list with 249 incidents. Hacking and ransomware attacks have emerged as prevalent threats. In 2023, hacking incidents accounted for nearly 80% of all reported breaches. This trend has not relented, with hacking and IT incidents comprising 77.78% of the breaches in the first half of 2024. These attacks not only compromise patient data but also disrupt patient care, leading to delays in treatment and increased risks to patient safety.
In 2023, ransomware attacks against U.S. hospitals delayed medical procedures, disrupted patient care because of multiweek outages, diverted patients to other facilities, and rescheduled medical appointments, straining acute care provisioning and capacity. Healthcare organizations’ dependency on innovative technologies connected to the internet has increased the potential to access large amounts of sensitive, personally identifiable information (PII) and personal health information (PHI) data. Given the critical need for continuity of operations, the healthcare industry is highly vulnerable.
Mitigation and Future Outlook
Here are some recommendations to help combat these threats, as healthcare organizations must implement cybersecurity measures based on a thorough risk assessment – which is the foundation of an information security program. If expertise is needed to understand your current risk baseline, have a third party come in and provide some guidance based on your business and its size, and provide guidance on where to remediate areas of weakness.
- Review Your Business Resiliency Planning: Ensure patient care is uninterrupted, even during crises. Resilient systems should be able to adapt to disruptions, maintaining essential services and safeguarding patient healthcare.
- Conduct a Review of Critical Third-Party Vendors: You rely on external providers for essential services, which means security vulnerabilities or compliance issues with these vendors can directly impact patient data privacy, operational continuity, and lead to significant regulatory penalties due to sensitive medical information they handle. A breach within a third-party vendor can easily compromise healthcare organizations.
- Conduct a Cyber Insurance Review: 80% of insured companies experience a data breach with inadequate coverage which means the organization covers a large portion of coverage costs. It’s important to your coverage is reviewed to have adequate cyber insurance to reduce organizational risk.
- Retain Key Vendors for Incident Response: Having a vendor in place to triage incidents allows for a more effective response by ensuring immediate access to expertise and having an established working relationship. This minimizes the time spent sourcing new providers during a crisis and leads to a better mitigation approach as they understand your systems.
- Plan Table-Top Exercises for Your Incident Response: They allow you to proactively identify weaknesses and gaps in your response plan, test team roles and communication and ultimately improve your organization's ability to effectively handle real-world security incidents in advance. The first time is the worst time, and you don’t want to figure things out during an actual incident.
As cyber threats continue to evolve, healthcare organizations must remain proactive to safeguard patient data as breach statistics and the impacts on patient care provide a glaring reminder of the critical importance of cybersecurity.
Author: Jason Spezzano, Executive Cybersecurity Advisor | [email protected]
Contact Us
Protect your healthcare organization today. Connect with our Cyber and Information Security Services Team to ensure the safety of your business and patients.
