This is Part 2 of a 2-part series on cyber attacks in the healthcare industry and steps to take to protect your healthcare organizations from cyber attacks. Part 1, “Understanding Cyber Attacks: A Growing Threat for the Healthcare Industry,” covered the growth of cyber attacks on the healthcare industry, why the industry is being targeted, and the vulnerabilities of the industry that makes it prone to cyber attacks.

Why are Cyber Attacks such a big Problem for Healthcare?

Cyber attacks are a big problem for healthcare due to the significant negative impacts they can have on a healthcare organization and the industry as a whole. These include:

  • Breach of privacy: when a cyber attack results in a data breach, patients’ protected health information (PHI) is exposed and their privacy is breached. This is major for a healthcare organization as it has many ripple effects including possible lawsuits from patients, HIPAA fines for violations, loss of confidence in the organization which can result in a loss of potential patients, among other things. These factors all negatively impact the bottom-line of the organization.
  • Reduced patient safety: cyber attacks that shut down hospital Electronic Health Records (EHRs) increase the risk to patient safety as without the ability to access these records, patients can be improperly treated. If medical devices such as MRI machines, ventilators, and infusion pumps are attacked, improper diagnoses, treatments, and deaths can result.
  • Disruption of services: a cyber attack can incapacitate a healthcare facility, shutting down its systems making it unable to function. The National Audit Office’s investigation into the WannaCry attack on the NHS, found that 34 trusts were infected and locked out of their devices and 46 were not infected but reported disruptions. This resulted in 6,912 appointments being cancelled, with an estimate of more than 19,000 appointments that would have been cancelled in total, based on the normal rate of follow‑up appointments to first appointments.
  • Financial loss: this is a significant factor in the burden of cyber attacks on healthcare facilities. Fines for HIPAA violations may be one of the main financial losses associated with breaches to PHI which can result from a cyber attack. On May 6, 2019, the US Department of Health and Human Services (HHS) announced that Touchstone Medical Imaging would be paying the Office for Civil Rights (OCR) of the HHS $3,000,000 for violations of HIPAA to settle a data breach that resulted in the PHI of 300,000 patients being exposed. This is a large sum of money for a single breach and could rise exponentially should further breaches occur. Some facilities choose to pay ransom demands rather than allow their systems to be compromised for any extended period. In June 2019, reports are that NEO Urology in Boardman Ohio paid hackers $75,000 in Bitcoins to unlock their computer system which was hacked and all data encrypted. The system was reportedly held hostage for 3 days and the organization told police that they lost between $30,000 and $50,000 per day. Financial loss can also result if there are lawsuits from patients affected by exposure of their PHI and from loss of business resulting from a loss of confidence in the organization.
  • Damage to reputation: data breaches can damage the reputation of a healthcare organization especially if these breaches occur relatively frequently. People will eventually lose trust in an organization if they are not confident that their PHI will be secure. This will lead to a loss of business and financial loss which can ruin an organization.

What are the Key Strategies to Cyber Secure your Healthcare Organization?

As demonstrated above, cyber attacks create huge problems for healthcare organizations, therefore ensuring your organization is cyber secure by implementing cyber attack and data breach prevention strategies, should be a priority for all players in the healthcare industry. While cyber attacks and data breaches may ultimately be unavoidable, being vigilant and implementing mitigation strategies are critical to keeping a healthcare organization cyber secure. Below are some key components to creating a cyber secure healthcare organization:

  1. Financial investment: make cybersecurity a major line item in the budget. This is essential as it requires money to keep on top of all the current and emerging cybersecurity threats.
  2. Human resource investment: hire highly trained and qualified individuals to handle the IT infrastructure. Also, ensure continuous training of IT staff to ensure that they can handle new and emerging cyber threats.
  3. Network and infrastructure: invest in updated computer hardware and software with supported versions of Microsoft Windows. Additionally, consider implementing technical defensive strategies such as network segmentation, firewalls, next-generation firewalls/unified threat management gateways, anti-malware solutions, anti-phishing solutions, encryption technologies, breach detection systems (BDS), vulnerability scanners, and deception technologies.
  4. Threat modelling: risk assessment: develop a tool for assessing the overall security of your organization’s IT infrastructure by systematically identifying, classifying, and quantifying the amount of risk presented by each threat being evaluated. Conduct self-audits, penetration tests, and risk assessments to find out where the vulnerable/leak points are in your IT systems, and where there is potential for data exposure. Implement measures to reduce and/or eliminate risks identified through the threat modelling and risk assessments and ensure that all endpoints are adequately protected.
  5. System updates: update all systems regularly with all the latest patches.
  6. Policies, procedures, regulations, and standards: develop, implement, and ensure adherence to IT policies and procedures. Institute a Bring your own device (BYOD) policy that covers areas such as connecting personal devices to the organization’s network and transferring sensitive information to personal devices. Ensure that your organization in in compliance with all the requisite regulations and standards that govern the healthcare industry.
  7. Training: staff must be adequately trained and knowledgeable of the organization’s IT policies and procedures which must be enforced. Additionally, conduct regular social engineering training to ensure staff are able to recognize potential threats.
  8. Develop a security strategy: the organization should develop a security strategy that brings together all the components that govern and impact IT security. It should include an incident response protocol that stipulates how all employees ought to respond should they either discover a security breach or receive a report of a breach. A pre-established incident response team should also be in place that can be quickly mobilized in case of a breach. This team can be composed of members from different functions such as technical, risk management, compliance, human resources, legal, public relations and executive management.
  9. Implement vendor and third-party risk management programs: these can include only purchasing medical devices from manufacturers who go through rigorous security assessment of the products during design and manufacture; performing risk assessments on all vendors and suppliers; and identifying third-party vendor software and performing security and vulnerability testing to ensure they are safe from hackers.
  10. Technological investments: invest in technology to help monitor your IT systems for potential threats and to help you recover once a breach has occurred. Technologies exist that can identify and encrypt unprotected files, search your systems for sensitive data and quantify the data that may be at risk, and continuously monitor systems for any suspicious activity and protect endpoints from being hacked. It is also possible to utilize technology to monitor data in the Dark Web to ascertain what records have been compromised and steps to take to recover if your system has already been breached.

Cyber attacks on the healthcare industry are growing. They are a nuisance, they disrupt services, they are expensive, they can damage an organization’s reputation, and recovering from an attack can be difficult. However, you can take steps to cyber secure your healthcare organization by implementing the 10 strategies listed above. These will put you ahead of the game and help you prevent and/or minimize the effect of a cyber attack.

To learn more about simple Healthcare compliance and managing data risk security from cyber attacks, download the playbook here.


This is Part 1 of a 2-part series addressing cyber attacks in the healthcare industry and key strategies to employ in ensuring that your systems are protected.

As the world becomes more technology driven, there has been a corresponding rise in cyber attacks on technological systems, and cybersecurity has become of paramount importance. The healthcare industry is no exception, experiencing attacks from ransomware, data breaches, distributed denial of service (DDoS) attacks, insider threat, and business email compromise and fraud scams, according to an article by the Center for Internet Security.

The prevalence of these attacks in healthcare is increasing, with a Cylance Annual Threat Report noting that for 2017, ransomware attacks were the major cause of cyber attacks, increasing 3-fold during the year and impacting the healthcare industry the most.According to the Health Information Trust Alliance (HITRUST), the number of ransomware families has been increasing since 2012 with an over 700% increase from 2015 to 2016, and a further 32% increase in 2017 over 2016 (Figure 1).

Data from the Privacy Rights Clearinghouse showed that for hack breaches that were publicly reported in 2018, the healthcare industry was significantly more affected than other Industries (Figure 2).

BSF: Businesses – Financial and Insurance Services
BSO: Businesses – Other
BSR: Businesses – Retail/Merchant – Including Online Retail
EDU: Educational Institutions
GOV: Government and Military
MED: Healthcare, Medical Providers and Medical Insurance Services

In May of 2017, the now infamous WannaCry ransomware was unleashed globally, attacking and locking down data and/or shutting down computers in countries around the world. Hospitals across the National Health Service (NHS) in the United Kingdom were significantly impacted with at least 80 of the 236 trusts across England affected and infecting another 603 primary care and other NHS organizations, according to an investigation carried out by the National Audit Office.

Today, WannaCry is still active and unmanageable as found by a survey conducted by internet of things security company Armis:

  • 103 countries are still impacted
  • Over 145,000 devices worldwide are compromised
  • At least 3,500 successful WannaCry attacks per hour, worldwide
  • 22% of Internet service providers (ISPs) have customers impacted by WannaCry
  • 60% of manufacturing organizations and 40% of healthcare organizations suffered a WannaCry attack in the past six months

Why is the Healthcare Industry being Targeted?

As previously stated, the healthcare industry is being increasingly targeted in cyber attacks and this is primarily because of the information available in the industry. The main motivation behind cyber attacks in healthcare is financial gain as patient medical information is very lucrative on the Dark Web. According to reports, medical records can be much more valuable to criminals than financial data and can be worth ten times more than credit card numbers. A global study conducted between February 2017 and April 2018 by the Ponemon Institute on behalf of IBM Security found the highest data breach resolution costs were for healthcare data breaches, costing an average of $408 per record compared to $206 per record for financial services data breaches.

“Healthcare providers such as hospitals are highly visible targets and attacks against them will be high impact, which in itself is a key motivator for many of these perpetrators. Disruptive attacks can disable, sabotage, or knock offline critical systems inside a hospital. The health and safety of vulnerable patients suffer as a result.”

– HITRUST Report

Stolen patient information can be used to create fake credit cards, obtain medical services, and commit insurance fraud, among other things. It also usually takes some time for a patient to realize their identity has been stolen which gives criminals time to carry out their nefarious activities. This contrasts with stolen financial data which is most times quickly realized.

The unique nature of healthcare also makes it an easy target for quick money as some leaders prefer to pay the ransom demands to get their systems back online after a ransomware attack, as the inability to access systems and patient data can be literally a matter of life and death.

What makes the Healthcare Industry so Vulnerable to Cyber Attacks?

Healthcare organizations are particularly vulnerable to cyber attacks for various reasons. Coventry and Branley (2018) in a review of trends and threats to cybersecurity in healthcare, noted that traditionally no one believed that healthcare systems would be attacked and as such, protective measures were not seen as important. In their study they found that vulnerabilities in the healthcare industry originate from increase in technological connectivity, more continuous monitoring of patients outside of the clinical environment, and the widespread use of mobile consumer devices. Vulnerabilities exist due to other factors such as increased use of technology in healthcare, legacy systems with non-supported versions of Microsoft Windows, systems not updated to plug known vulnerabilities, and inadequate security mitigation policies.


Traditionally, healthcare was mainly paper based with health records kept in a file room only accessible by authorized personnel. However, healthcare is following the lead of other industries and is increasing its use of technology. Additionally, the Health Information Technology for Economic and Clinical Health (HITECH) Act which was signed into law in 2009, promotes the adoption and meaningful use of health information technology, particularly electronic health records (EHR) whose adoption has been incentivized. Federal policies like these are driving technological advancement in healthcare. While this is great for improved patient care, it also opens the door for security vulnerabilities and possible hacking by unscrupulous individuals.


The healthcare landscape is becoming more and more connected technologically as providers seek better ways of caring for patients, especially those with chronic conditions. There is a myriad of medical devices being used to monitor and care for patients, extending lives and improving quality of life. In the past these devices were stand-alone systems but are now becoming interconnected through an organization’s network, making them potential points of vulnerability for cyber attacks.


The use of mobile technology in healthcare is increasing with smartphones and wearable devices being used by individuals to monitor medical conditions or just general health status. This presents another area of vulnerability as these general-purpose devices now hold important personal health information (PHI) that could be easily exposed in a breach.

90% of healthcare IT decision makers “plan to implement or are currently implementing a mobile device initiative as a way to improve patient care, facilitate efficiencies within care teams or both.”



The rapid rise in the use of technology in healthcare has led to many healthcare organizations struggling with old legacy systems as investment in cybersecurity has not kept up with emerging technologies. Additionally, the focus of healthcare is on patient care which at times cause other areas such as technology to be left lagging. In the WannaCry attack, most, if not all, of the systems affected were operating on outdated versions of Windows that are no longer supported by Microsoft. A cybersecurity survey by Infloblox found that 22% of healthcare IT professionals reported having Windows 7 in their organizations and 20% reported that Windows XP was operating on their network, both of which are no longer supported by Microsoft. The survey also found that medical equipment such as MRI scanners were operating on these outdated systems. Equipment operating on vulnerable operating systems can be easily exploited and attacked by malware introduced into the network.


Even where the systems being used are supported by Microsoft, updating and plugging known vulnerabilities is often a challenge. In our experience, businesses routinely scan their network and systems for vulnerabilities but fail to apply required fixes or patches in a timely manner. Several patches or updates can be applied automatically, but in many instances on some networks or systems, this has to be done manually. Also, specific remediation steps must be followed at times which require appropriate staff with the proper knowledge to execute.


Maintaining a secure cyber environment is a huge task especially in the current environment of new and varied threats. This is another area that some healthcare organizations struggle with as shown by the Infloblox survey which found that 15% of UK healthcare IT professionals and 11% of their US counterparts did not believe that their current security policy for newly connected devices was effective. This led the authors to surmise that hospitals and health centres may be rapidly adopting new connected devices without due care and attention being paid to security policies.

The threat to the healthcare industry from cyber attacks is real and growing. Healthcare organizations need to understand these threats, realize what is at risk, know where their vulnerabilities are, and take proactive steps to protect themselves.  There are many innovations on the market to help healthcare organizations continuously monitor and protect their systems from cyber attacks, as well as to help them recover in the event of a breach. Part 2 of this blog series (Addressing Cyber Attacks: 10 Key Strategies to Cyber Secure your Healthcare Organization) will explore key strategies and practical how-to solutions that can better prepare your healthcare organization from cyber attacks, ransomware, and data theft.

Download the Playbook for Corporate Compliance in Healthcare for a step-by-step guide for compliance and data risk security.