Healthcare Faces Unrelenting Cybersecurity Challenges

Cyberattacks on the healthcare industry hit an all-time high in 2021.[1] According to the World Economic Forum (WEF), attacks on the industry “have continued to plague the sector since the start of the COVID-19 pandemic”.[2] More than 50 million patient records were stolen last year, an increase of 24% over 2020.[3] These included social security numbers, patient medical records, financial data, HIV test results, and the private details of medical donors. “On average,” the WEF says, “155,000 records are breached during an attack on the sector and the number can be far higher, with some incidents reporting the breach of over 3 million records.”

This dire state of affairs is examined in Mimecast’s new report on Email Security in Healthcare. Based on a global survey of 1,400 information technology and cybersecurity professionals, including 254 (18%) from the healthcare industry, the report uncovers the cyber challenges facing the industry in the wake of the pandemic. For example, when asked how likely it was that their institution would be damaged in 2022 by an email-borne attack, 77% of these healthcare CIOs, CISOs, and other IT executives responded that it was likely, extremely likely or simply “inevitable”.

The Keepers of High-Value Data

Healthcare organizations are among the most targeted by cybercriminals and foreign agents because they collect so much data of high value to bad actors. Indeed, stolen health records may sell for up to 10 times more than stolen credit card numbers on the dark web. In addition to bank account and credit card numbers, these records may include protected health information (PHI), Social Security numbers and other personally identifiable information (PII), as well as medical research and other intellectual property. 

Moreover, the average cost of a healthcare data breach is the highest by far for any industry. In 2021, that cost rose by $2 million (22%) to $9.23 million per incident, compared to an average of $4.24 million for all industries — itself an all-time high.[4]

This poses some unique challenges for those responsible for securing the industry's data. If a bank account or credit card number is pilfered, for instance, the account can be frozen or closed and a new one opened. Not so with medical records. Once lab test results or a diagnosis is leaked, it is no longer private. The information is impossible to negate. 

Some instances of data corruption can be life threatening. Tampering with electronic medical records (EMRs) or networked medical devices like insulin pumps, for example, can interfere with patient treatment, resulting in injury or death.

There are also HIPAA, GDPR, and other privacy regulations to contend with. CISOs and other healthcare security professionals must strike a three-way balance between protecting patient data, securing its privacy, and sharing that data in order to provide the best possible patient care. These often conflicting objectives can create security gaps and vulnerabilities that cyber thieves are quick to seize on. 

Lagging Behind the Threat

Given this state of affairs, one might think that when it comes to cybersecurity, healthcare organizations would be among the most protected. Unfortunately, the old adage that doctors make the worst patients seems to apply here as well. The Mimecast study found that only 31% of healthcare providers have a cyber resilience strategy in place — among the lowest of all industries — despite the advancements in solutions available to them.

Governments are stepping in and putting pressure on healthcare organizations to up their security game. In the U.S., for instance, a new law went into effect on March 15 that requires public health institutions to report any cyberattacks to the Department of Homeland Security within 72 hours of their discovery or — in the case of ransomware — within 24 hours of paying the ransom.[5] But while most of the Mimecast survey respondents (93%) felt that government mandates would indeed result in greater cyber preparedness, they also strongly felt that this alone would not solve the problem and that more industry-driven security initiatives were needed.

The Bottom Line

In the healthcare industry, the likelihood and consequences of a data breach are dire. If healthcare providers fail to raise their cybersecurity standards, then the governments in many countries are liable to do it for them. While this may be one way for the industry to close its security gap, few cybersecurity leaders believe the results will be satisfactory. More robust outcomes can be achieved by healthcare leaders taking the initiative to devise a cyber resilience strategy and invest in the security personnel, systems, and procedures that they need. 

For more on the cybersecurity challenges facing the healthcare industry, please see Mimecast’s full report on Email Security in Healthcare.

[1] “Healthcare data breaches hit an all time high in 2021, impacting 45 million people,” Fierce Healthcare

[2] “If healthcare doesn’t strengthen its cybersecurity, it could soon be in critical condition,” World Economic Forum

[3] “2022 Breach Barometer Report,” Protenus

[4] “IBM Report: Cost of a Data Breach Hits Record High During Pandemic,” IBM

[5] “Healthcare organizations now must report cyberattacks to DHS,” Becker’s Health IT