American Healthcare Under Cyberattack: Why Cybersecurity is Important for the Healthcare Industry

July 10, 2024

American healthcare is a trillion-dollar industry that stands as one of the country’s most critical sectors. This prominence, in addition to the vast amount of money and data involved, makes it a prime target for cyberattacks – which are only growing in frequency and severity. 

In 2023 alone, healthcare-related cyberattacks rose 11% compared to 2022 and saw more than 133 million records compromised. This total includes more than 20 breaches that compromised anywhere from 1 million to 8 million records. Healthcare organizations face nearly 100 attacks every day, with the average cost of a breach nearing $11 million, making this an unprecedented area of critical need for cyber protection.

Healthcare Industry as a Prime Target for Cyberattacks

Why is the healthcare industry targeted so frequently? In short, it is primarily due to two factors: first, healthcare is a trillion-dollar industry that manages an incredible volume of sensitive information. Second, it is the type of data that matters, as healthcare providers have access to information that holds immense value on the black market and can be exploited for identity theft or financial fraud. Medical records such as sensitive patient biometrics, medical histories, and payment details command some of the highest ransoms on the black market, going for four times more money than social security numbers, and twenty times more than credit card information. Given the importance of the healthcare industry’s work, hospitals and other medical facilities can’t afford to be out of operation for long. If they suffer a data breach and private information is held at ransom, they may be more likely to pay to ensure services aren’t disrupted, as this can lead to life-threatening situations and even loss of life.

Further, the industry’s IT infrastructure is often complex, with numerous connected devices, outdated systems, and third-party vendors that make it easier for threat actors to exploit security gaps. The expansion of telehealth and remote services has expanded these vulnerabilities, as cybersecurity investments have not always kept pace with technological progress. For example, the Zoom hack during the COVID-19 aftermath caused much worry in terms of Zoom being used for telehealth privacy. Zoom paid an $85 million resulting lawsuit due to data leaked or sold by Zoom itself, and for allowing “zoom-bombing” hackers to exploit their systems. All these factors are compounded by the overall shortage of cybersecurity talent and a high number of users who may lack sufficient cyber awareness training.

Healthcare Cyberattacks on the Rise

The U.S. Department of Health and Human Services (HHS) announced that it is investing more than $50 million in a cybersecurity effort to create tools to help hospitals better defend themselves against these specific threats. In the last year alone, there have been major cyberattacks that underscore the need for an increased level of investment.

In February 2024, UnitedHealth Group faced an attack by the ransomware group BlackCat. The payment processor for UnitedHealth, Change Healthcare, was compromised and threatened with the leakage of stolen data and a network shutdown unless they paid a ransom – which Change Healthcare did to the tune of $22 million. With an estimate that one-third of Americans were impacted, the attack’s ripple effects could ultimately cost the organization more than $1.5 billion over time. 

In May 2024, the 140-hospital system Ascension was attacked and many of their electronic records and systems were compromised, which forced hospital staff to shift many medical operations and management to manual, non-electronic processes. The attack created inefficient processes and workflow errors, while patients were forced to mail payments and some patients were triaged to different hospitals.

In late 2023, the U.S. dental insurance company MCNA Dental suffered a ransomware attack that stole more than 700 gigabytes of sensitive patient data. The group demanded a $10 million ransom, and when the company did not pay, the hackers published the stolen data of 8.9 million individuals on the dark web, resulting in 11 lawsuits. 

In July 2023, hackers accessed names, email addresses, birth dates, and other sensitive information for more than 11 million patients treated through HCA Healthcare, a Tennessee-based hospital and clinic operator. The organization was accused of not encrypting patient data and taking other reasonable security procedures, which ultimately cost them more than $10 million.

Finding Solutions for Healthcare Cybersecurity

There is no single solution that offers complete protection from cyberattacks, but deploying a combination of strategies can significantly reduce the likelihood of an attack and its impacts.

As is stated in guidance by the National Institute of Standards and Technology (NIST), there are several ways that organizations can protect themselves through a multi-fold method that extends from casual system users to backend engineers. While NIST does not regulate “the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge,” it has created a best practices framework guidance.

By regularly training all employees in online best practices, companies can foster a more security-conscious culture. Giving some users “least privilege access” limits user permissions to essential roles, and using robust endpoint security measures can help safeguard devices. Advanced email filtering solutions block malicious content, and requiring multi-factor authentication adds an extra security layer. Implementing software and systems upgrades to ensure operations are up to date with the latest security patches to avoid vulnerabilities is critical. Network segmentation to isolate critical systems and sensitive data can minimize the impact of a breach. Regularly backing up critical data and testing these backups ensures quick recovery from attacks. And overall, developing and regularly updating a comprehensive incident response plan prepares organizations for potential threats before they happen, ensuring a more proactive than reactive approach to cyber threats.

Healthcare Cybersecurity Education

Capitol Technology University is a leading STEM institution with a strong history of cybersecurity higher education. We provide many degree program options to our students to cultivate a comprehensive foundation in cyber studies, including an online PhD in Healthcare Technology and PhD in Healthcare Cybersecurity – degrees meticulously designed to meet the constant growth and threats to our American healthcare industry. Education with Capitol Tech prepares you to protect sensitive patient data and medical systems from cyberattacks, helping to secure the future of the industry in this high-demand field. To learn more, contact our Admissions team or request more information.