Why do threat actors target healthcare providers? Breach timeline and industry insight

Between 2015 and 2020, we saw more than 150 million individuals affected by healthcare data breaches. Perhaps this is why the healthcare industry is set to spend $125 billion on cyber security leading up to 2025.

As many healthcare providers and medical professionals adapt and adopt digitisation in almost all aspects of their day-to-day tasks, and as many health records develop into electronic health records (EHRs), medical professionals and patient data have become unbelievably valuable targets for cyber criminals. In fact, ransomware attacks against healthcare organisations are on the rise.

In fact, a study by Accenture and the American Medical Association (AMA) found that over half of doctors surveyed have reported being targeted by a healthcare phishing attack.

Staff and patient data often contains sensitive and personal information that a cyber criminal could use for identity theft, financial fraud, and more even more malicious purposes. As a result, healthcare organisations and providers of medical services need to prioritise cyber security training and awareness to keep both staff and patient information safe and secure.

We need to educate employees on how to identify and prevent both common cyber threats, such as phishing and ransomware, but also be aware of new emerging cyber threats.

When you give your employees the opportunity to develop through training and raising awareness programmes, health organisations and employees take an active role in protecting organisation’s data and patient information.

50% of doctors surveyed have reported being targeted by a phishing attack

Reasons cyber criminals target the healthcare industry

Not only do cyber attacks on healthcare organisations lead to the compromise of staff data and patient information, but they can also bring day-to-day activities to a halt … which can be extremely devastating for an industry that deals with life and death every single day. But why are cyber criminals targeting the healthcare industry on top of an abundance of data and potential to disrupt? Let us run through some reasons below:

• High demand for medical patient data: Healthcare organisations, particularly hospitals, store and use a massive amount of patient data. Hackers who get their hands on data such as this know that they can not only sell this data for a lot of money, but also very quickly on the black market. Cyber criminals know that healthcare organisations need to cooperate with GDPR and comply with ransomware demands, especially when such confidential data is involved – they play on this desperation. To add a layer of protection on all of your data, you might consider solutions like multi-factor authentication (MFA) or two-factor authentication (2FA), as the authentication route requires verification from a trusted source before access to data is granted.
• Staff access data remotely more frequently: The healthcare industry has always been a collaborative system, especially as many medical organisations must handle the same patient’s data back and forth. As a result, medical professionals are often accessing confidential information remotely from a variety of devices … scenarios like this are even more common in 2023 post-pandemic. Cyber criminals understand that they only need to latch onto one compromised device to gain access to a confidential network teeming with patient data. As a result, you will see cyber criminals targeting doctors working from home, nurses on home visits, medical devices that connect online etc. A Verizon report reveals that 81% of cyber security incidents in the healthcare industry are because of malicious network traffic!
• Employees and insider threats: A survey by Accenture revealed a worrying statistic; 18% of healthcare employees would actually sell customer data to a nefarious individual for as little as $500. So not only do healthcare security leaders have to worry about external threats but also internal ones as well. Cyber criminals can sometimes target the employees they think are disillusioned or not worried about the security of their employer because they do not value or do not feel valued in their employment. In fact, this survey reveals that 40% of healthcare security leaders see internal vulnerabilities such as employee theft and negligence as their main security concern.
• Cyber criminals can hack medical devices: One cyber security aspect many security leaders in the healthcare industry understand is an issue but struggle to solve is the security of medical devices. Devices like x-rays, medical pumps and medical marker readers bring a truckload of positives but also provide a host of new entry points for cyber criminals. These machines were built for a primary purpose; x-rays help surgeons analyse bones and medical pumps can deliver insulin, but they are not built with security in mind. In fact, a report from the Cybersecurity and Infrastructure Security Agency (CISA) states that several common medical devices are classified as “exploitable remotely/low skill level to exploit.” This survey reveals that 32% of healthcare security leaders see medical device security as a top security concern. As a result, attackers can leverage these devices to launch cyber attacks on servers that they are connected to. The devices themselves do not necessarily hold patient data but the networks they connect to certainly do. From here, ransomware can be installed and entire networks can be brought to a grinding halt.
• Budget constraints mean healthcare staff are not trained: Nearly every healthcare industry in every country around the world is working to both budgetary and resource constraints – after 3 years of a pandemic and fallout therein. For some, it is almost impossible to source affordable cyber security training and awareness materials. A KPMG survey states that 50% of healthcare leaders said their organisations either did not have written security breach protocols or they were not aware of any existing. And a survey by Healthcare Information and Management Systems Society (HIMMS) found that 1 in 2 healthcare organisations do not provide cyber security training to their employees. Cyber criminals know that healthcare professionals are a. most likely not trained on cyber threats and emerging risks and b. far too busy and frantic to stop and assess potential cyber threats. When you get a confluence of untrained employees and an industry that lives and breathes data accessibility at all times, you get the perfect target for cyber criminals.
• Smaller healthcare organisations also targetable: Whilst large healthcare organisations are targeted because of the massive amounts of data and minimal cyber security funding, cyber criminals target smaller healthcare organisations because not only have minimal cyber security budgets but also because they can also open the door to larger healthcare companies they are collaborating with.
• A sea of outdated technology: The healthcare industry is always advancing its technology … but not every aspect of the industry is developing at the same rate. Again, a mixture of small budgets and hesitancy to fix something that is not broken, has left many medical organisations unprotected due to outdated technology and devices. This survey reveals that 31% of healthcare security leaders see ageing IT hardware as a top security concern. Some products are still being used despite vendors no longer supporting machines through patches and updates. For example, after Microsoft stopped supporting Microsoft 7, research found that 83% of medical imaging devices operate on a system that is no longer eligible for software updates. Cyber criminals understand that many healthcare organisations either cannot or do not update their old technology, leaving systems open to common cyber attacks.

18% of healthcare employees would sell customer data to a nefarious individual for as little as $500

Healthcare industry cyber breach timeline with case studies 

At TSC we understand that employees often understand the importance cyber security once they have had the situation contextualised and the risks made relatable with examples and case studies. When employees understand the very real consequences of a cyber breach in healthcare, they will take their security behaviours more seriously. To that end, let us run through a timeline of notable medical breaches over the last decade.

• 2014: In 2014, Community Health Systems (CHS), one of the largest hospital providers in America, was breached by a hacker. The hacker stole personal information from 4.5 million patients including social security numbers, birth dates, addresses and much more. This data was then sold on the black market and in the end, CHS had to settle with over 28 US states for $5m.
• 2015: In 2015, Anthem, a massive US health insurance provider was breached by a cyber criminal. 80 million US customers saw their social security numbers, telephone numbers and addresses leaked online. Anthem eventually settled in 2020 with Attorney Generals for $39 million.
• 2017: In May 2017, WannaCry ransomware was used to attack the NHS in the UK. This attack not only caused a significant amount of disruption to everyday hospital systems and patient care, but also led to the encryption of files on an infected network. Hackers demanded a significant payment in exchange for the decryption key. This was a very costly attack as official data suggests over 19,000 appointments were cancelled costing the NHS £92 million.
• 2019: In August 2019, the American Dental Association (ADA) reported that hundreds of dental practices were affected by a ransomware attack. The attack was not directly on the ADA but rather a third party technology vendor for the ADA. As a result, over 400 dental practices were locked out of their data affecting appointments and treatments.
• 2020: In 2020, a patient in Germany passed away because of a ransomware cyber attack that disrupted emergency services as Dusseldorf University Hospital. This is believed to be the first death in the healthcare industry as a direct result of a cyber attack as hackers stopped the use of important medical equipment in the emergency wing.
• 2021: In 2021, perhaps because of the focus on healthcare targets post-pandemic, a hacker group known as DarkMed began overtly targeting the healthcare industry. DarkMed’s MO involved using malware to steal confidential but valuable information such as medical records and insurance information.

31% of healthcare security leaders see ageing IT hardware as a top security concern

What does the breach timeline tell us

A recent study by Privacy Affairs found that between 2010 and 2020, 70% of Americans were affected by healthcare data breaches in some form. If these case studies and Privacy Affair’s findings illustrate anything it is the various and differing ways in which cyber criminals can and have targeted the healthcare industry. 

Ransomware attacks, malware attacks, brute force hacks could all find their way to your door – as a result, it is crucial for healthcare organisations to prioritise cyber security training and awareness to reduce the risk of becoming a target as it could not only be financially damaging ramifications but also damaging to real people and their health.

Ransomware attacks against the healthcare industry increased by 328% last year!

Your healthcare organisation needs TSC’s engaging and time sensitive support!

Last year, ransomware attack rates fell by 23% … but they increased by 328% in the healthcare industry (SonicWall).

We understand that the healthcare industry and many organisations that operate within it do not necessarily always have the time and resources to educate their managers and employees on online risks. In fact, the potential disruption caused by long mandatory online training could be detrimental to some organisations.

But one must not forget that the damage done by a cyber breach far outweighs any potential annoyance from a training and awareness programme. According to the Ponemon Institute, the average cost of a data breach in the healthcare industry is $7.13 million.

However, at TSC, we keep our training and awareness materials short, engaging, and time sensitive. They are perfect for any medical professional looking to fortify their awareness of cyber risks and emerging threats.

If you want to take your organisation’s cyber security to another level and have no idea what security gaps exist or where to start, TSC also has the answer; our SABR tool. SABR is one of our premier products. It is a Security Analysis and Behaviour Research tool that helps us identify gaps in your security culture, what fundamentals need to be fortified and cyber threats your employee base desperately needs educating on.

If you would like more information about how The Security Company can  help your healthcare organisation and deliver security awareness training and employee development for you in 2023 or how we can run a behavioural research survey to pinpoint gaps in your security culture, please contact  Jenny Mandley.