Healthcare Cyber Threats: A Code Blue Emergency

Cyber threats to the healthcare industry continue to escalate. According to the World Economic Forum, the sector experienced an average of 1,684 attacks per week in Q1 2023 — a year-on-year increase of 22%.[1] Gauged by the number of data breaches, in 2022 U.S. healthcare was the most compromised of any industry for the third year in a row.[2]

This risk-laden state of affairs is reflected in Mimecast’s State of Email Security 2023 (SOES 23) report, based on a comprehensive survey of 1,700 companies in 13 countries and across 12 industrial sectors. For example, when asked how likely it was that their institution would be damaged in 2023 by an email-borne attack, 75% of the 184 healthcare respondents said that it was likely, extremely likely, or simply “inevitable”.

The inevitability of such attacks was on full display this summer, as hospitals and clinics in California, Connecticut, Pennsylvania, Rhode Island, and Texas all experienced cyberattacks. The early August incidents disrupted numerous computer systems, forcing emergency rooms to shut down and ambulances to be diverted.[3]

A High-Profile Target

Healthcare organizations are among the most targeted by cybercriminals due to the vast troves of high-value data they collect. Compared to stolen credit card numbers, pilfered health records can sell for 10 times or more on the dark web. That’s because, in addition to credit card and bank account numbers, these records often include protected health information (PHI), Social Security numbers, and other personally identifiable information (PII), which can be used for blackmail and identity theft. Other files containing proprietary medical research are also coveted by thieves, who then sell it on the black market. 

The industry, moreover, generates a staggering amount of data. A single hospital can produce as much as 50 petabytes per year, an incredibly large volume of information to store and protect.[4]

As a result, the cost of a data breach is higher for the healthcare sector than for any other industry and has increased for the 13th consecutive year, according to IBM’s 2023 Cost of a Data Breach Report.[5] The average cost for a healthcare industry intrusion was more than twice than the overall average at $10.93 million — an amount that has risen 53.3% over the past three years. It also takes longer for the healthcare sector to detect a breach — 231 days on average, compared to 204 days for all other industries combined. 

Phishing emails were the most common source of attack, accounting for 16% of the incidents that took place among healthcare providers.[6] More than half (56%) of SOES healthcare respondents reported a jump in the number of phishing attacks directed at their institution.

But ransomware is also a major threat to the industry. During the past year, eight out of 10 healthcare organizations were seriously harmed by a ransomware attack, according to the SOES 2023 report. The survey also found that nearly 48% of these companies have experienced an email-based threat that spread from one infected user to another. 

Lack of Preparedness

The consequences of these attacks are compounded by the industry’s lack of cyber vigilance. For instance, fewer than one-third (32%) of the SOES 2023 healthcare respondents said they have a system in place that monitors or protects against email-borne attacks, the lowest percentage among all industries except media and entertainment. 

The sector also spends less on cybersecurity than other industries. Fifty-two percent of the SOES participants overall allocate between 6% and 15% of their IT budget to cybersecurity, but only 37% of the SOES healthcare participants do the same — the lowest of any sector. The silver lining here is that the healthcare CISOs and other IT execs interviewed recognize that this is a problem: When asked how much of their organization’s IT budget should be allocated to data security, well over half (57%) said that the amount ought to be increased by an average of 12%.

In the U.S., at least, the government is also stepping in to help the sector improve its security posture. Earlier this year, the U.S. Department of Health and Human Services Cybersecurity Taskforce launched a free program to provide resources and training to help counter the onslaught of cyberthreats the industry faces.[7]

The Bottom Line

Cyberattacks against healthcare institutions continue to proliferate, even as the consequences of such attacks grow more dire. The industry, meanwhile, is struggling to keep pace with this scourge, although some efforts are underway to bolster the sector’s cyber resiliency. To learn more about how healthcare companies are coping with cyber threats, download Mimecast’s SOES 2023 report.

[1] “Healthcare cyber attacks are on the rise,” World Economic Forum

[2] “Identity Theft’s Resource Center’s 2022 Annual Data Breach Report Reveals Near-Record Number of Compromises,” Identity Theft Resource Center

[3] “Healthcare facilities see uptick in cyberattacks,” abc KSTP-TV

[4] “4 ways data is improving healthcare,” World Economic Forum

[5] “Cost of a Data Breach Report 2023,” IBM and Ponemon Institute

[6] Ibid

[7] “HHS Cybersecurity Task Force Provides New Resources to Help Address Rising Threat of Cyberattacks in Health and Public Health Sector,” U.S. Department of Health and Human Services