What Makes Healthcare So Attractive to Cybercriminals?
What’s your nightmare scenario? The question here isn’t about phobias about spiders or clowns, but instead: What’s the situation that keeps you up at night once it crawls into your mind and builds a nest there in your consciousness?
If you’re a security practitioner in the healthcare space, such insomnia-inducing scenarios are often cyberattacks—ones that not only endanger patient information like Social Security numbers and medical conditions but can result in longer patient stays or increased mortality risks.
In recent years, cyber criminals have increasingly targeted the healthcare sector like a nasty flu that just won’t quit.
By October 2023, approximately 87 million U.S. patients’ personal or confidential information was breached via a cyberattack on a healthcare organization, according to research from AtlasVPN. This statistic, compared to the approximately 37 million patients affected by breaches in healthcare, indicates a persistent and significant acceleration in attacks on the sector.
In May 2023, attackers used ransomware to access certain network storage devices for Norton Healthcare Inc., which offers healthcare services at more than 430 locations in Kentucky and Indiana, including eight hospitals. Ransomware attacks occur when malware is introduced into a computer or network that can block a victim’s access to his or her own files.
The attack compromised confidential employee information as well as affecting employees’ dependents and approximately 2.5 million patients. Norton filed a notice of data breach attack with Maine’s attorney general in December, roughly seven months after the incident was first discovered.
Patient data exposed in the attack included contact information, dates of birth, digital signatures, driver’s license numbers, financial information, health data, insurance information, medical identification numbers, and Social Security numbers—placing patients at greater risk of identity theft or fraud.
“Data is king, and data is key,” says Ferdinand Hamada, who supports healthcare clients dealing with cybersecurity risks as managing director for Morgan Franklin. “Healthcare as an industry has a lot of lucrative data.” That data translates to dollar signs for cyber criminals who are intending either to sell sensitive patient information on the black market or to hold it hostage for a ransom.
And unlike a credit card number or bank account information, healthcare information about patients cannot simply be canceled or reset within a few days.
“I can’t cancel my healthcare record. This is data that is persistent, it has all my sensitive data in there. I can’t just cancel all that and get a new one. That’s why it is so valuable to attackers—its persistent value going forward,” notes Mark Campbell, a senior director for data security solutions company Cigent.
That value is evident in the scale and volume of attacks. From 2018 to 2022, there has been a 93 percent increase in the number of large breaches reported to the U.S. Department of Health and Human Services (HHS) by organizations in the healthcare industry, as well as a 278 percent increase in large breaches that involved ransomware within that same period.
However, cyberattacks can endanger more than just highly sensitive information. In November 2023, during Thanksgiving weekend in the United States, Ardent Health Services was hit with a ransomware attack that impacted 30 hospitals in six U.S. states. After the attack was detected on 23 November, the organization took its network offline proactively.
This meant that while Ardent was able to respond to the attack and mitigate its damage by suspending all user access to its information technology applications, it also meant that the health system had to divert ambulances from its hospitals and reschedule any nonemergency or elective appointments and procedures.
All this occurred during what is statistically a busier time for emergency rooms, with patient volumes increasing by an estimated 5 to 12 percent during this holiday.
Other healthcare services were impacted by the network’s shutdown, including access to electronic medical records plus Ardent’s patient portal. It provides patients with access to billing and financial statements, telehealth consultations, appointment requests, test results, and prescription information.
Data is king, and data is key.
By 30 November, most impacted hospitals’ emergency rooms were again accepting ambulances under certain circumstances. (Patients in need of stroke or trauma care were redirected to other emergency rooms.) Access to electronic medical records was restored by 6 December, and on 19 December Ardent announced that nonemergency or elective procedures had resumed at all locations. Finally, on 9 January 2024, Ardent said that it had fully restored the patient portal.
Healthcare groups in other countries have been targeted too. In October 2023, healthcare facilities under Canadian service provider TransForm Shared Service Organization experienced a system outage triggered by a ransomware attack. Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hotel-Dieu Grance Healthcare, and Windsor Regional Hospital were targeted in the attack, which affected operations, patient information, and data about employees. In its investigation of the incident, which was supported by cybersecurity experts and law enforcement, TransForm determined that the attackers could potentially publish the stolen data online so it could be reused for nefarious purposes.
But again, beyond the exposure of information about patients and staff, patient services were also compromised. The hospitals reached out to patients to reschedule or redirect those who had appointments at these facilities days after the outage, according to a notice posted by TransForm.
Popular Attack Styles
Cloud compromises, business email compromise (BEC), ransomware, spear phishing, and supply chain attacks emerged as top cybersecurity threats to healthcare, according to a 2023 survey report from Proofpoint and the Ponemon Institute, Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care. These attacks can all impact patient care.
“Such disruptions include delays in procedures and tests that have resulted in poor outcomes, longer lengths of stay, increases in patients transferred or diverted to other facilities, increases in complications from medical procedures, and increases in mortality rates,” the survey found.
“It is literally life or death if you think about these patients who are not getting access to procedures or even medications if the systems are down. When you think about what happens in an event…that disruption can cost lives,” Campbell says.
All 653 of the IT and IT security practitioners in U.S. healthcare organizations who responded to the survey said they experienced at least one incident where data was either lost or exfiltrated.
Cyberattacks against healthcare organizations can also be layered, with different tactics amplifying or prolonging the damage. Of those organizations that experienced these attacks, 77 percent said that the supply chain attacks that disrupted patient care were followed by BEC and ransomware attacks, according to the survey.
One thing all the different types of attacks have in common is that they can impact patient safety and the level of care that healthcare facilities and employees can provide. On top of delays in conducting tests or medical procedures (like surgeries) and increased mortality rates among patients, every organization surveyed said that incidents involving data loss or exfiltration were linked to sensitive and confidential information.
Beyond the toll on human lives and personal information, these attacks also lead to increased costs for medical treatment and procedures.
“When you get these healthcare organizations that have to take away money from other things and spend it on paying for backup and recovery services, improved security controls, and paying ransomware, there’s a cost that gets passed along to the end user for this,” Cigent’s Campbell notes. “Who ultimately ends up paying for all this? That’s the consumer.”
Cloud compromises—where attackers take over a cloud account using stolen valid credentials to commit fraud and transfer sensitive data—were found to be the most common type of cybersecurity threat among the organizations surveyed. While 63 percent said their organizations experienced a cloud compromise, 74 percent said their organizations were vulnerable to such an attack.
Although cloud compromises were more likely to result in an increase in mortality rates, these attacks’ impact on patient care decreased from 2022 to 2023 (64 percent to 49 percent). These attacks can still significantly harm patients beyond a hospital room because healthcare organizations are moving more patient information to cloud services and storage.
When medical practitioners cannot access the patient information stored in a cloud, it can diminish the quality of care, resulting in increased complications or delayed treatment, while hospital or clinical staff wait for access to a cloud to get restored throughout an organization. And that time wasted waiting for the information can impact other services that healthcare workers rely on to treat patients, including laboratory testing, issuing medication, or deciding on a course of treatment.
Meanwhile, concerns about BEC and targeted phishing attacks have increased significantly, up to 62 percent compared to 46 percent concerned in 2022, according to the Ponemon‒Proofpoint report. The concern is not without reason: the frequency of these attacks has increased from an average of four to five attacks per year during the past two years.
BEC attacks use email fraud to attack an organization, such as through invoice scams, spear phishing, or impersonating an organization’s authority figures like the CEO or an attorney. The majority of those impacted by a BEC attack (71 percent) said that the attack caused delays in procedures and tests, which in turn resulted in more severe illnesses or other poor outcomes for patients. Other effects on patients included longer hospital stays and an increased likelihood of complications from medical procedures.
While 63 percent of respondents indicated that their organization is vulnerable to a supply chain attack, less than half said that it was a concern to the organization. These attacks involve an attacker either impersonating a supplier or compromising an email account in the supply chain, preferably at a point that is less secure.
Once the attacker has access to enough information about the supplier and its relationship to the healthcare organization, scenarios that appear legitimate can be used to fraudulently elicit assistance or information from employees of either the supplier or the healthcare company. Now, the door is open for an attacker to siphon funds or data or introduce malware into an organization’s system.
The majority of those affected by supply chain attacks (77 percent) said that patient care was impacted by the incident. Respondents said that these attacks resulted in delays in procedures and tests, longer stays for patients, increased complications from medical procedures, and transferring or rerouting patients to other facilities. In some instances, it was linked to an increased mortality rate.
While ransomware remains a popular keyword in news articles concerning cyberattacks, only 48 percent of survey respondents said that it was a concern for their organization. Hamada says that his clients at Morgan Franklin tend to discuss ransomware attacks and how to mitigate them, but he adds the caveat that this is likely due to heavy media reporting on such attacks.
Ransomware attacks, like other cyberattacks, affect patient care. Perhaps one of the most infamous examples of this was the 2017 attack that impacted the United Kingdom’s National Health Service (NHS). WannaCry ransomware was used against organizations all over the world on 12 May 2017, and when more than 60 NHS facilities in England and Scotland were attacked with the malware, patient care was significantly disrupted. Thousands of appointments were canceled, ambulances were redirected to other facilities until 18 May. “Many facilities could not access patient records, which led to delays of non-urgent surgeries and cancelled patient appointments,” according to an article published in the National Library of Medicine.
While it inconvenienced and endangered patients, this attack also cost the NHS £92 million ($116.7 million) by canceling tens of thousands of appointments.
Sometimes, the delays caused by an attack can contribute to deaths that occur weeks or months later, which makes clear statistics around the issue difficult to determine, as Politico noted. But there have also been instances where deaths were clearly linked to a cyberattack. In 2020, an already difficult year for healthcare thanks to the COVID-19 pandemic, a ransomware attack against a German hospital resulted in the death of a patient suffering from an aneurysm while paramedics were ordered to reroute to a different hospital.
That same year, Teiranni Kidd sued an Alabama hospital, blaming it for the death of her newborn. A cyberattack on the hospital precluded doctors from conducting prebirth testing that otherwise would have alerted them to the umbilical cord wrapped around the baby’s neck. Kidd claimed that the resulting brain damage and death of her child was due to the lack of testing.
Regardless of the amount of attention ransomware attacks garner, the healthcare industry is not unattractive to these kinds of attacks. In 2022, the FBI’s Internet Crime Complaint Center recorded that out of the 870 complaints logged, the critical infrastructure sector with the highest number of reports of victimization by a ransomware attack (210) was the healthcare and public health sector.
“The success of ransomware attacks is based upon the probability of that targeted organization both having the resources required to pay the ransom and then actually recovering from that ransom as it relates to decrypting those assets. …Based on those two things, the healthcare industry really checks the box, and cybercriminals are taking advantage,” says Morgan Franklin’s Hamada. “It’s a lucrative business. Healthcare is known to pay the ransom.”
It’s a lucrative business. Healthcare is known to pay the ransom.
Reacting with Resilience
Part of what makes the healthcare industry such an attractive target to cyber criminals is that organizations’ cybersecurity abilities tend to lag behind those in other sectors, such as the financial or pharmaceutical industries, according to Hamada.
Data from the Cyber Insecurity in Healthcare report supported this, with 47 percent of respondents saying that they do not have enough budget to support an effective cybersecurity posture. Other top challenges included a lack of in-house expertise (58 percent) and insufficient staffing (50 percent).
In addition, these budgeting and expertise issues filter down to other employees, who without support from a well-funded and knowledgeable cybersecurity department may be ignorant of current methods that cybercriminals are using to gain system access.
“Within the healthcare industry there are various attack vectors,” ranging from generic to highly targeted, Hamada says. And barraging an organization and its employees with various attacks is done in the realistic hope that someone will open the door to the criminal. Perhaps it’s an employee who clicked on a phishing link, believed that the CEO needed gift cards to pay for an essential business service, or fell for one of likely many attempts to introduce malicious software that gives the attacker access into a system or legitimate credentials.
Insider threats can also be a source of leaked credentials or malware introduced into a system. If employees are leaving computers with wider network access unlocked and available to others who have not been given access credentials to network elements, this lapse can be just as dangerous as an advanced cyberattack. “Just because you’re inside a facility and there’s badge access, that doesn’t mean that your systems are secure,” Campbell says.
While budget woes may never go away, Hamada says that he urges his clients to focus more on cyber and operational resilience—concentrating on what to do if and when an organization’s network is breached.
“We need to make sure that we have an integrated approach to resilience across a hospital institution,” Hamada says. So, siloed security is strongly discouraged; instead, cybersecurity and physical security are encouraged to coordinate with all other departments.
This coordination means that when a breach is detected in a clinic or hospital’s system, everyone—from IT to the emergency room—knows what steps will be taken at the facility and how to mitigate risks to both information and patient safety.
Just because you’re inside a facility and there is badge access, that doesn’t mean that your systems are secure.
Having a strong identity access management program in place can also mitigate risks, especially when supported by other verification tools, because healthcare facilities are often complex ecosystems with various types of workers occupying the same space. A teaching hospital encompasses doctors, nurses, administrators, teachers, students, patients, temporary workers, contractors, and more—and they all require access to different areas and materials.
“Really having a robust identity access management program that has the right governance and processes in place that go through the proper user access lifecycle and ensuring that access is appropriate per job responsibility…that is a fundamental type of program that’s needed for any hospital or healthcare institution,” Hamada says.
Campbell notes that resiliency can also be achieved by preparing for a cyberattack similarly to how an organization would prepare for a natural disaster and plan how to recover from such disasters. Developing responses, such as data recovery and restoring systems without reintroducing malware, can help an organization come back online more smoothly and faster.
“The best defense is to make it harder and to make it not worth the money or the effort that these attackers are using,” Campbell notes.
Along with a strong foundation in managing access control and verifying staff and contractors’ identities, sometimes basic protocols—such as training employees in how to identify phishing emails; proper computer etiquette, such as locking a computer anytime an employee steps away from it; and discouraging reliance on personal devices to access the organization’s network—can make it harder for attacks to succeed.
U.S. healthcare organizations do have some support available to them from federal agencies, notably a toolkit produced by the U.S. Cybersecurity and Infrastructure Security Agency, HHS, and the Health Sector Coordinating Council Cybersecurity Working Group. While stressing fundamental cyber-hygiene efforts that apply to every industry, the toolkit also offers healthcare and public health organizations a foundation for a cybersecurity program that organizations can build upon.
Sara Mosqueda is associate editor for Security Management. Connect with her on LinkedIn or on X, @XimenaWrites.