Healthcare organizations deal with a huge volume of sensitive data as part of their operations. Not only do these organizations deal with protected health information that is subject to HIPAA, but they also have access to patients’ financial and insurance information.
Because these organizations have such a wealth of personal data stored in their digital systems, they are a common target for cyberattacks. In this article, we’ll take a look at the broader impact of data breaches and cyberattacks on the healthcare sector through statistics.
Cybercriminals are particularly interested in healthcare records due to the massive amount of personal data they contain. In addition to protected health information, hospitals often store patients’ full names, dates of birth, and even social security numbers.
Additionally, healthcare providers often store their patients’ financial information, such as insurance providers, credit card numbers, and more.
By accessing the information that healthcare providers store, hackers are easily able to conduct identity theft. They can also sell this data to other cybercriminals because it is so valuable.
Additionally, many healthcare organizations have been very slow to transition from paper to digital medical records. While the vast majority of healthcare systems today do have digital systems, many of them use outdated technology or haven’t kept up to date with cybersecurity best practices.
While HIPAA does have cybersecurity requirements for healthcare providers, many companies struggle to implement them properly. Additionally, healthcare companies based outside of the United States are subject to their own local laws, which may be less comprehensive than HIPAA.
Because of this, healthcare organizations are particularly prone to both external hacking incidents and internal data breaches. Hackers often target healthcare organizations specifically because their systems have so many vulnerabilities.
There are several different types of data breaches that happen in the healthcare industry. When most people think of a data breach, they think of cybercriminals operating outside the target organization. However, many healthcare industry breaches actually come from within the organization.
These internal breaches usually happen by accident, but they can also happen on purpose as the result of a disgruntled employee. Here are the types of data breaches that happen most often in the healthcare industry.
The vast majority of healthcare data breaches happen as the result of hacking or other IT incidents. Ransomware and other forms of malware are particularly common among healthcare organizations.
Ransomware is a type of malicious software that steals sensitive data and holds it for “ransom,” threatening to release or delete the data if the victim does not pay a specific sum of money.
The second-most common type of healthcare data breach is unauthorized access or disclosure. This happens when a healthcare employee shares patient data or other secure information with someone outside of the organization who isn’t authorized to access it. It can also happen when an employee shares access to internal systems with someone outside the company.
While these breaches can be malicious, they are more likely to be unintentional mistakes. This is because many healthcare employees are not properly educated on HIPAA cybersecurity requirements.
Physical theft of healthcare records is another possible cause of healthcare data breaches. While healthcare providers store today’s patient records digitally, they may still have some paper records in storage that are vulnerable to physical theft.
Additionally, cybercriminals could steal computers and mobile devices that are used to store healthcare data. This theft can also happen unintentionally when healthcare professionals work remotely.
If a remote employee keeps a computer or mobile device that contains healthcare data after leaving the organization, this would be a form of physical theft.
HIPAA has very strict standards for the disposal of healthcare records. Even if these records are no longer in use at your organization, they could be very valuable to hackers. Disposing of these records in a way that violates HIPAA standards results in a data breach, often with harmful consequences.
Phishing is an extremely common type of cyber attack across all industries. Phishing happens when a cyber criminal poses as a trusted contact, tricking the victim into sharing secure login information or other sensitive data.
This often happens via email, particularly in the healthcare industry, but could also happen via text message or social media message as well.
Although phishing attacks are extremely common, many healthcare professionals don’t know how to spot them, resulting in compromised data. Many cybercriminals will also target healthcare executives specifically in a practice known as whaling. This particular type of phishing attack can be extremely devastating, as executives typically have access to very high volumes of data.
Healthcare breaches are devastating to patients, as they can potentially result in identity theft and other long-term security issues. However, they are also extremely expensive to mitigate and recover from.
In the initial aftermath of a data breach, companies will need to spend extra time and resources to re-secure the data, communicate with those affected, and eventually resume normal operation.
After a data breach, companies also experience damage to their reputation and ultimately a loss of patients, which is also very costly.
The United States experiences more cyber attacks and data breaches than any other country in the world, particularly when it comes to healthcare. This is largely due to the size of the US economy.
The US isn’t the only country that experiences healthcare data breaches – unfortunately, this is a global phenomenon. Cyber threats affect both public and private healthcare organizations around the world.
Unfortunately, many significant healthcare data breaches have happened over the last year. Here are some of the largest healthcare breaches that have happened in 2022. (HIPAA Journal/US Dept. of HHS)
Here are some of the largest healthcare data breaches that have happened so far in 2023.