As healthcare moves inevitably towards greater digitization, ensuring the security of sensitive patient data has never been more critical. Unfortunately, the industry continues to face large-scale data breaches on a regular basis that compromise millions of records. For instance, the massive 2021 Accellion breach exposed over 82 million patients’ details from 200 healthcare organizations.
More recently, in 2024 cybercriminals attacked MediSecure – one of Australia’s largest e-prescription platforms, gaining access to over 28 million prescription records containing names, addresses, dates of birth and Medicare numbers. In the United States, CommonSpirit Health also fell victim to a supply chain attack that year, resulting in 4.1 million patients having their health and financial information stolen.
Statistics further underscore the severity of the situation, with the U.S. Department of Health and Human Services reporting over 365 healthcare data breaches in 2021 alone that impacted over 37 million people. The Ponemon Institute estimates the average cost of a medical record breach to be $250 per record in direct expenses and lost business.
Beyond monetary damages or compliance penalties, these intrusions can deeply impact the trust between patients and their doctors. Furthermore, compromised identities in the hands of hackers pose serious risks of financial or medical fraud for innocent individuals.
Why Healthcare Data is the Holy Grail for Hackers?
In this age of digitization, few industries hold as much deeply personal data as healthcare. But all that sensitive information patients trust their doctors with has unfortunately made clinics, hospitals and healthcare providers prime pickup spots for opportunistic hackers.
Lining pockets with pilfered patient records has become quite the profitable racket for cybercriminals aiming to exploit the systemic vulnerabilities plaguing this crucial sector.
A complete medical dossier fetched on the shady corners of the dark web can reel in hundreds seemingly for little effort. After all, such bounties of personal bounty like names, addresses, birthdays and full medical histories packed into a single file go for way more than your average 15-cent credit card.
And that’s only the beginning of the mischief ill-intentioned types can get up to with another person’s stolen particulars in their clutches.
For example, submitting dummy docs to leech thousands from insurance tallies for procedures never performed? And we haven’t even mentioned taking on a patient’s identity long-term for a life of law-skirting luxury.
While healthcare providers do right by diligently aiding communities, their efforts involve compiling enormous dossiers too tasty a treat left out for tech-savvy troublemakers. Plus, all those internet-linked machines and underpaid IT staff scrambling to update every gadget’s outdated software only add to the ‘all-you-can-hack buffet’. It is not a surprise privacy-preserving practices became an afterthought for many an overburdened medical facility.
Beyond all that, here are 5 major reasons healthcare is an all-time favorite for hackers:
Healthcare Has a Wealth of Personal Information
Healthcare records contain a wealth of personally identifiable information like patient name, address, date of birth, social security number, insurance details, etc. This type of data is invaluable to cybercriminals as it can be used to commit identity theft and open fraudulent accounts.
Medical records often also contain sensitive financial information like credit card numbers, bank details that were used for payments. The diverse types of personal data aggregated in one place make healthcare records a “one-stop-shop” for criminals to exploit victims.
Highly Sensitive Medical Intel Can Be Extremely Revealing
Beyond personal details, medical records contain highly confidential information about patient’s health conditions, treatment histories, medications, diagnostic reports, lab test results, doctor’s notes, insurance claim records and more.
Data like HIV/AIDS status, substance abuse, mental illness or sexual health are especially sensitive in nature. Hackers know they can fetch a high price by selling off this classified medical intelligence about individuals on the dark web markets. Even innocent details when pieced together can reveal a lot about one’s lifestyle and privacy.
Long Shelf Life of Data
Unlike stolen credit card numbers that expire fairly quickly, personal identifiers housed in medical records do not change over time. Date of birth, social security number or name will remain same for life. This allows hackers to exploit and monetize healthcare data for many years into the future through resale or supporting other forms of long-term fraud and crimes. Even if the original data is years old, it can still be misused or worse, again used by hackers for double extortion.
Health Data is Worth 10x Payment Card Data
Multiple research studies and reports from cybersecurity agencies have estimated that personal healthcare records fetch approximately 10 to 40 times higher valuation than a simple credit card number on underground marketplaces. This is because medical data bundles identity credentials together with sensitive health information, increasing its versatility and revenue potential for cybercriminals through complex scams.
Large Attack Surface to Exploit for Hackers
With the rapid digitalization of healthcare through electronic medical records, telehealth solutions, connected hospital equipment and remote monitoring technologies – there is a massive uptick in the ways patient data is stored, transmitted and accessed digitally. Each new node introduces new vulnerabilities that can be potentially leveraged by sophisticated hackers to infiltrate networks and extract valuable databases containing millions of records. This gives attackers and expanded attack surface to play on.
Recent Healthcare Data Breaches and Cyberattacks
Synnovis Cyberattack: London NHS Hospitals Disrupted (2024)
In early June 2024, a ransomware attack crippled Synnovis, a pathology service provider for several NHS trusts in southeast London. This attack encrypted Synnovis’ IT systems, causing significant disruption to critical blood tests and other diagnostic services. The attack forced hospitals to postpone appointments and procedures, impacting patient care and highlighting the vulnerability of healthcare institutions to cyberattacks. The cyberattack was later attributed to Qilin (Agenda) ransomware.
Ascension Cyberattack by Black Basta Ransomware (2024)
In May 2024, Ascension, a large non-profit health system in the United States, fell victim to a cyberattack by the Black Basta ransomware group. The attack infiltrated Ascension’s IT systems, disrupting electronic health records, delaying medical procedures, and causing appointment rescheduling. The Black Basta ransomware encrypted Ascension’s data, potentially compromising sensitive patient information. This incident underscored the growing threat posed by ransomware attacks on critical healthcare infrastructure.
MediSecure Data Breach (2024)
This major ransomware attack targeted MediSecure – one of the largest electronic prescription providers in Australia, maintaining over 28 million prescription records. Hackers exploited vulnerabilities in a third-party vendor used by MediSecure to encrypt and lock down critical IT systems. Given the lengthy history of prescription data accumulated, this breach potentially exposed personal and medical details of millions of Australians. The incident highlighted gaps in vendor risk management and legacy systems in use.
MetLife Data Breach (2023)
MetLife suffered a breach when unauthorized actors gained access to servers hosted by an outsourcing partner, putting over 10 million customers’ records at risk of exposure. Compromised information spanned 19 years and included sensitive claims details, diagnoses, procedures, prescription drugs, dates of birth, addresses and social security numbers. MetLife is a multinational insurance giant dealing with both healthcare and non-healthcare information, indicating the far-reaching fallouts of such an intrusion.
CommonSpirit Health Breach (2022)
In a supply chain attack, cybercriminals accessed an IT vendor’s system to steal health and financial records of 4.1 million patients from CommonSpirit Health – one of the largest non-profit hospital chains. Details compromised encompassed names, medical record numbers, diagnoses, treatment codes, health insurance information as well as social security numbers in some cases. The attack once again spotlighted third-party risks in healthcare ecosystem.
Acclivis Technologies Data Breach (2022)
Over 2.9 million patient records were pilfered after Acclivis – a US healthcare technology provider experienced a security incident exposing names, dates of birth, phone numbers, diagnosis codes besides other medical data. Investigations later linked the breach to a ransomware operation, driving Acclivis out of business. The diversity in victim profiles – from individuals to major corporations, highlights the far-reaching damages from healthcare cyber-intrusions.
Taking a Defense-in-Depth Approach to Strengthen Healthcare Cybersecurity
Deploying advanced security solutions
Healthcare organizations should invest in cutting-edge cybersecurity technologies like Endpoint Detection & Response (EDR) solutions to detect anomalies indicating intrusions, Security Incident & Event Monitoring (SIEM) systems to correlate log events, Data Loss Prevention (DLP) tools to restrict data leakage, User Behavior Analytics (UBA) to monitor risky user actions. Next-gen firewalls and anti-malware are also critical to filter threats effectively.
Conducting rigorous vulnerability assessments and penetration testing
Regular vulnerability scanning and red team penetration testing performed by accredited third-party security firms help identify weaknesses that hackers can exploit. Timely remediation of vulnerabilities is imperative to plug gaps before being targeted.
Implementing strong access controls and multi-factor authentication
Role-based access control with least privilege model and enforcing MFA for both on-premise and cloud-based healthcare applications are fundamental to thwart unauthorized access and internal compromises.
Training all employees on cybersecurity best practices
Implementing ongoing cyber awareness programs and mandatory training courses can significantly reduce the risk of phishing or accidental exposure of sensitive data. A security-oriented culture needs cultivation.
Encrypting data stored, processed and transmitted across systems
All sensitive data like medical records, radiology images, test results, backups, archives, databases, and communications must be encrypted both at rest and in transit using robust cryptographic protocols.
Developing comprehensive incident response and disaster recovery plans
Wargaming various breach scenarios through simulated exercises and establishing formal IR/DRP with designated response teams, communication protocols, disaster recovery sites is key to resilience.
A well-structured incident response and disaster recovery program helps bolster resilience and minimize operational disruptions.
Key elements that should be addressed include:
- Establishing Response Teams Designating team roles, 24/7 contact details, escalation protocols.
- Conducting Simulation Exercises Regularly testing incident handling through mock drills and tabletop tests.
- Creating Response Playbooks Documenting standardized procedures for various breach scenarios.
- Securing Response Resources Contracts with forensic firms, public relations agencies, legal counsel.
- Leveraging Technology Aids IR tools for evidence collection, ticketing, communications.
- Establishing Recovery Strategies Detailed plans for replacing/restoring systems, data and users.
- Selecting Disaster Recovery Sites Alternate locations, facilities, infrastructure for continuity.
- Maintaining Business Continuity Ensuring critical functions survive through redundant capabilities.
- Reviewing and Updating Regularly
Conclusion
While the digitization of healthcare brings myriad benefits, it has also created new avenues for malicious cyber actors to threaten our sensitive patient information. As this trend accelerates, proactive measures must be taken to curb the targeting of the industry and safeguard individuals’ well-being, livelihoods and peace of mind.
As custodians of invaluable personal data, organizations have a duty to both customers and communities to integrate security at the foundation of their systems. By investing in the right blend of technologies, training, policies and oversight, enterprises can make their networks significantly more resilient against evolving cyberattacks.
Most importantly, we must continue our efforts with a spirit of collaboration – sharing threat intelligence, conducting security audits of third-parties, and holding leaders accountable for prioritizing this issue. Only through open cooperation between all stakeholders, from public and private sectors, can we truly make an impact.
The challenges ahead are considerable, but so too is the opportunity to revolutionize security and regain the trust of those we serve. By firmly committing to this vision today, we can work towards a future where all may benefit from healthcare’s technological progress, while protected from the harms of digital exploitation. Our patients and their wellbeing must remain the north star guiding us forward.
Until the whole healthcare house gets its cybersecurity act together with a makeover reflecting patients’ true information importance, expect its electronic entrances to remain gaping gates welcoming willing wrongdoers with willing wallets. Stricter security standards and digital defense overhauls can’t come soon enough for the sake of everyone’s well-being moving forward.
