Listen Up

Tuesday, October 8, 2019

Why Are Hackers Targeting Hospitals? - ReferralMD


attrib: Shutterstock
 Why do hackers target healthcare data? Hospitals need to spend more and pay attention to cybersecurity in order to prevent data breaches.

Did you know that more than 25 percent of all data breaches that occur in a given year affect hospitals and healthcare facilities? Why is healthcare data a target for hackers?

Research from 2018 suggests that health data is the second most at-risk type of information after social security numbers.  In 2019, there have been more than 25 million patient records affected.

It’s also very important to point out that out of all hospital data breaches, 53 percent originated within the establishment itself. What’s even more troublesome is the fact that for most hospitals, more than a month passed from the initial hack attack/breach to its detection.

Why are healthcare facilities vulnerable and what makes hackers target such institutions? Why are health security challenges becoming more difficult to address every single year?

The conclusion reached was that hospitals were severely lacking in data security measures due to the lack of funding, the lack of appropriate staffing, no employee training pertaining to the best data security practices, improper organizational structure, the overall lack of a security policy and the lack of security audit procedures.

Why Do Hackers Target Hospitals?

The research quoted in the introduction suggests that over 15 million patient records were breached in 2018. The number of affected records has nearly tripled over the course of a single year – from slightly over 5.5 million records in 2017 to over 15 million records in 2018.

There are several reasons why hackers are so keen on accessing healthcare facility and patient information.

Patient data can easily be sold off, which is the number one reason why healthcare facilities are subjected to so many hack attacks.

Health records and other patient-related information are hugely demanded on the black market. In some instances, hackers are even capable of selling the information back to the hospital itself. Needless to say, they generate massive profits from such “transactions.”

In essence, hackers can make money from patient data through blackmail or by selling such records to the highest bidder.

Hackers can also utilize the information of high profile patients. In 2017, for example, hackers breached the network of a major plastic surgery clinic in London. It was a high profile case that included information from numerous celebrity clients. That information consisted of pictures, medical records, addresses, and even sensitive financial data. Such information can easily be applied to fraudulent activities, stalking, and harassment.   Finally, hackers target medical facilities because they lag behind in the introduction of security measures. Bank and financial networks, for example, are heavily protected. This isn’t the case for medical facilities. Many of them don’t have the resources to introduce the latest safety measures and to make sure that patient information is properly protected.

Ways in Which Hospital Data Breaches Occur
A hospital’s database can be breached in several distinctive ways.

The first and easiest available option is the so-called social hacking. It involves getting credentials (user names and passwords, for example) from one of the individuals that have legitimate access to the network.

It’s very easy for someone to impersonate an IT company rep who needs to do maintenance, hence is looking for credentials information.

The second and a bit more challenging option involves the use of brute force to access the network in a completely unauthorized way.

Security experiments show that the second data breach method isn’t that difficult to utilize.

Healthcare Data Protection: Best Practices

Data security solutions are becoming more readily available today. Cloud-based technologies are scalable and cost-efficient. They allow for better protection through encryption, access monitoring and the logging of unusual activity.

A shift in mindset is needed for healthcare facility managers and administrators to see the cost-efficiency of database safety solutions. Until recently, these were perceived as too costly and only attainable within the framework of a large medical facility.



Educating staff members is even more important. As already illustrated by some of the examples, many hack attacks and security breaches are the results of negligence or complete unawareness of safety protocols.

Any IT security program within the healthcare framework should have a big focus on staff training. Many people are still unaware of how hack attacks occur, what’s phishing, malware or ransomware. When such threats become easy to identify, they also become easy to circumvent.

Good hospital data protection practices should also focus on the establishment of a secure wireless network, the encryption of portable devices and even the introduction of physical security controls like locking file cabinets (to protect paper-based data) and installing security cameras.

Hospital Security Necessitates a Thorough Approach. Workforce training and management is a requirement for all covered entities under the HIPAA Security Rule.


Making hospital data more secure isn’t about the introduction of a single measure. A thorough approach will be required to eliminate vulnerabilities from the network itself and to reduce the risk of human error.

Such measures, however, are long overdue.

Top 5 Healthcare Data Security, Infrastructure Threats

Ransomware, external threats, and advanced persistent threats are a few of the key healthcare data security and healthcare IT infrastructure dangers.

1. Ransomware
2. Outside Threats (human)
3. Advanced Persistent Threats (APTs) – Theft of IT and Corporate Data
4. Distributed Denial of Service (DDoS) Attack


The importance of information management in the healthcare context cannot be underestimated. While digitization is simplifying the management of larger information volumes than ever before, it also contributes to potentially disastrous security risks. The need for healthcare-focused security solutions and staff training courses is only going to grow in the years to come. While current statistics don’t pay an optimistic picture, technological advancements and higher levels of awareness will hopefully change the situation for the better in the near future.

Training Employees to Avoid Healthcare Data Security Threats

Healthcare employees must undergo regular and comprehensive training so organizations can better avoid potential data security threats.


Eighty percent of health IT executives and professionals said that employee security awareness is their greatest data security concern, according to a survey conducted by HIMSS Analytics and sponsored by Level 3 Communications, Inc.

There is a shortage of adequately trained cybersecurity experts. There are over 300,000 job positions available that remained unfilled A variety of solutions have been suggested, from retraining already employed personnel in cybersecurity, to Filling Healthcare Security Staffing Gaps with Virtual CISOs, Students.  The staffing shortage has hit the healthcare sector hardest: 79 percent of healthcare organizations find it difficult to recruit security staff, Ponemon reported. 

V-CISOS

Virtual CISOs, or vCISOs, are quickly becoming a sound method for effectively closing security staffing gaps. These cybersecurity leaders are offsite and are commonly shared between several organizations. On the surface, the move could seem risky: the leader is off-site and shares security time with other providers.

Those concerns are valid. But for smaller organizations that may not need a full-time security leader or that may reside in an area where it’s difficult to attract top security talent, a V-CISO can be more than effective at providing the necessary security policies, procedures, and support.


Synoptek, CynnergisTek, Pivot Point Security, and a host of others offer these virtual roles, which can be tailored to meet the needs of an organization.

Hospitals often struggle to find and retain security leaders who have the skillset to manage the complexity of the healthcare environment, Hewitt explained. Even with outside recruiting, there’s a moderate amount of movement in CISO roles. Resources also add to the challenge, as many can’t afford to retain top talent. VCISOs can fill that gap, while providing elements a traditional CISO cannot.

 “For mid- to small-sized providers, you can clearly see that a vCISO may be an advantage because, number one, they probably can’t afford additional training. But they can take that money and go with a vCISO, which will be shared across two to five hospital districts or providers. There’s an economy of scale.”

What should an employee do if they suspect a breach in cyber security 

Attribution is given to the following publications and/or organizations for the content herein.

Health and Human Services
exTelegent Healthcare Media

No comments: