Preserving patient privacy has long been a concern for many organizations in healthcare, but are the stakes really much higher? With the increasing reliance on technology in healthcare, there is a corresponding increase in the risk of cyber attacks that can have serious consequences, including the theft of patient data, the disruption of healthcare services, and even loss of life. 

According to a recent study by Ponemon Institute, over 20% of healthcare organizations falling victim to a cyber attack experienced an increase in patient mortality rates. Delayed procedures and tests were the most commonly reported consequences of cyber attacks, along with longer patient stays.

Cybersecurity protections in healthcare have improved in recent years but the industry still trails e-commerce, financial services and government and remains significantly more vulnerable to data breaches.  In 2021, 66% of healthcare organizations were victims of ransomware attacks while other industry sectors saw a decline in ransomware attacks. Why?

The healthcare industry is a particularly attractive target for cyber criminals due to the sensitive nature of the information it handles. Patient data, including personal and financial information, is valuable to attackers who can sell it on the black market for identity theft and fraudulent insurance claims.

A major challenge in healthcare is the lack of proper security measures across a sprawling IT infrastructure that includes hundreds of systems, many of which are maintained externally by vendors. Up to 50% of medical imaging devices are running on unsupported operating systems, including Windows XP and Windows 7. Outdated systems are more vulnerable to cyber attacks, as they lack the necessary safeguards and updates to protect against new threats. 

In addition, the healthcare industry has a high rate of employee turnover, which can lead to a lack of knowledgeable staff who are able to properly secure and maintain systems. There is a high demand for qualified individuals to protect healthcare systems, but a lack of trained cybersecurity professionals to fill these roles. This shortage leaves many healthcare organizations understaffed and unable to effectively defend against cyber threats. Cybersecurity is a constantly evolving field, and it can be difficult for healthcare organizations to keep up with the latest threats and best practices. This can make it challenging to attract and retain staff with the necessary cybersecurity expertise.

Connected medical devices, also known as Internet of Things (IoT) devices, can pose a significant cybersecurity risk in the healthcare industry. These devices, which include everything from electronic health record systems and medical devices such as pacemakers and insulin pumps, to wearable fitness trackers and smart watches, are increasingly being used to monitor and track patient health and treatment.  However, these devices are often not designed with cybersecurity in mind and have vulnerabilities that can be exploited by cyber attackers. For example, some devices may have weak passwords or may not be properly secured against external threats. In addition, many devices may not receive regular software updates to fix known vulnerabilities, which can leave them open to attacks.

Despite these challenges, there are steps that healthcare organizations can take to improve their cybersecurity.  Some of the most effective measures CREO advises its clients to take include the following.

  1. Implement strong passwords and password management practices: Ensuring that all devices and systems have strong, unique passwords is essential for protecting against cyber attacks.
  2. Regularly update software: Keeping software up to date is important because it helps to fix known vulnerabilities and prevent attacks.
  3. Train staff on cybersecurity best practices: Educating staff about the importance of cybersecurity and how to identify and prevent potential attacks can help to reduce the risk of a breach.
  4. Implement access controls: Controlling who has access to sensitive patient data and systems is critical for preventing unauthorized access and protecting against cyber attacks.
  5. Use encryption: Encrypting sensitive data helps to protect it from unauthorized access and ensures that it is not compromised if a device or system is hacked.
  6. Implement multi-factor authentication: Adding an extra layer of security, such as requiring a second form of authentication (e.g., a code sent to a phone or email) can help to prevent unauthorized access.
  7. Conduct regular security audits and assessments: Regularly reviewing and testing the security of systems and devices can help to identify and fix vulnerabilities before they can be exploited.
  8. Work with cybersecurity experts: Partnering with cybersecurity experts or firms can provide valuable expertise and resources for protecting against cyber threats.

Overall, the state of cybersecurity in healthcare is a cause for concern that is likely to increase as cyber attackers aim to exploit vulnerabilities in the industry’s digital transformation. However, with the right measures in place, healthcare organizations can effectively protect themselves and their patients from cyber attacks.

Rett Summerville is the Director of Cybersecurity & Compliance at CREO and an expert IT security and risk management leader with over 20 years of experience in information security programs, integrated risk management, data privacy, IT quality, and regulatory compliance. He is passionate about helping organizations improve their cybersecurity maturity, effectively manage risks, improve security awareness, and maintain compliance.