Cybersecurity Risks in the Health Care Industry

What are the Recent Statistics Related to Cybersecurity?

Recently there has been a lot of news about cybercrime related to hospital IT systems. Here are some of the statistics related to healthcare cybersecurity.

  • 89% of organizations experienced a cyber-attack in the past year.
  • The average cost of a data breach is $10.1 million per incident. This is an increase of 9.4% from 2021.
  • Healthcare organizations lost $21 billion to ransomware attacks worldwide.
  • It takes on average 232 days to detect a breach and approximately 85 days to contain it.
  • Stolen health credentials are worth 10 to 20 times the worth of a credit card number.

What is even more concerning is that 57% of organizations reported poorer patient outcomes as a result of the attack and 27% reported higher mortality rates after experiencing a cyber-attack. Failure to be vigilant regarding cybersecurity has a high cost to human life.

What are the Cybersecurity Risks in the Health Care Industry?

The Growing Attack Surface

With the elimination of paper medical records, electronic health records reportedly increase the quality and efficiency of patient care as well as the productivity of employees.  It has also increased the ability of hackers to attack healthcare service providers all over the world.  Digitalizing health records will help in preventing these attacks, yet in many healthcare organizations investment in cybersecurity is still lagging.  Organizations need to allocate additional resources for protecting their health records to avoid spending exorbitant amounts of money recovering if their systems are breached.

Out-dated Medical Hardware and Software

Medical equipment is very expensive. Healthcare service providers must choose wisely how their limited resources are allocated. Some hospitals are using equipment that is outdated. Some equipment may be using software that is no longer supported by the manufacturers. This is true for the IT system used by service providers as well. The 2017 WannaCry* attack, which infected many organizations, was able to spread using a known vulnerability associated with earlier versions of Windows (mostly Windows 7). Organizations that participate in CMS and comply with the Conditions of Participation must maintain a medical equipment inventory. These organizations should consider capturing information on the software specifications for this equipment within this inventory to make it easier to surveil equipment when breach notifications and software retirement announcements are received.

*WannaCry is a ransomware worm that spread rapidly across a number of computer networks in May of 2017. After infecting a Windows computer, it encrypts files on the PC's hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them

Small Healthcare Organization's Struggles

Unfortunately, small health organizations do not always have the resources necessary to prevent cyber-attacks.  Keeping up-to-date with the rapidly evolving attack vectors is difficult without the proper technology and finances, despite smaller organizations using electronic health records.  Small organizations need to consider allocating dollars in their budget each year to stay up-to-date with the latest equipment and software to avoid compromising their systems.

Interconnected Healthcare Systems

Attacks on small healthcare organizations rarely make the headlines, yet they may be far more numerous than reported. However, the interconnected nature of the healthcare industry may enable attackers to use these small service providers as a way to breach larger organizations.

 Valuable Healthcare Data

Healthcare records are valuable to hackers.  Medical records can be used multiple times and for multiple purposes. The extended lifetime of medical records, which can be as much as 20 years, has made them very valuable. Stringent IT auditing can help enhance the security of healthcare data. Auditing platforms on the market today can audit every configuration change made to multiple server components, including File Servers, and track user permission changes which can assist in finding out where there are breaches in the system.

Patient Portals 

Today, patients have greater access to, and are in more control of their medical information.  Allowing patients access to their medical data through patient portals is a growing trend, and while there are many benefits to this, it also increases the attack surface, as patients don’t necessarily protect their login credentials in the same way they might their bank accounts.  Educate your patients about cybersecurity to avoid issues. Many systems are implementing Multi-Factor Authentication, otherwise known as MFA.  This technology requires the user to not only enter their password, but also enter a “real-time” generated passcode that is generated by the system and communicated to the user via an associated e-mail address, telephone number or text.

Basic Cybersecurity Education is Lacking

Many organizations now employ IT personnel with specialized training in cybersecurity.  Organizations need to ensure that these resources are also assigned to develop basic cybersecurity education for physicians, nurses, and administrators.  Staff need to be aware of the early warning signals that occur when someone is attempting to breach or interrupt software systems and how to immediately report these occurrences. Adopting a “better safe than sorry” approach can help alleviate staff apprehensions about “looking silly” or being “ridiculed” for “not knowing” or over-reacting. Using everyday examples, such as your personal cell phone security and the amount of information contained within a cell phone is a great way to make the subject matter meaningful to all.  Today, almost every patient arrives at the healthcare organization with a cell phone in hand. Most organizations are certain to advise patients that they, the patient, are responsible for their personal belongings, but is there a lost opportunity here to teach patients about the importance of password protecting their devices as a means of protecting their personal/sensitive information.

No Clearly Defined Personnel in Charge of Cybersecurity

Some organizations do not have designated personnel who can manage cybersecurity operations. Accountability and Facilitation of the necessary changes must be an organizational priority. Organizations need to define the hierarchy of users with associated privileged access to sensitive data. Users breaking this hierarchy need to be identified and the appropriate authorities notified in real-time.

In summary, as you think about the risks mentioned above, think about the risks that your organization may have. This overview should stimulate discussion among the organization’s leaders and lead to discussions on how to prevent a cyber-attack from happening. Look for more information to come on what to do to prevent an attack on your organization.


  • The 10 Biggest Data Security Problems in the Healthcare Industry, Philip Robinson, Lepide, November 18, 2022.
  • The outlook for healthcare cybersecurity in 2023, Brian Foy, SECURITY, January 6, 2023.
  • Cybersecurity And Data Protection In Healthcare, Forbes, February 15, 2022.
  • A high-level guide for hospital and health system senior leaders, John Riggi, Senior Advisor for Cybersecurity and Risk, American Hospital Association.

To learn more about Cybersecurity risks in the health care industry contact the C&A team at 704-573-4535 or email us at

Leave a Comment

Your email address will not be published. Required fields are marked *

Shopping Cart