The Healthcare Industry: A Prime Target for Cyberattacks
- Blog
- The Healthcare Industry: A Prime Target for Cyberattacks
In recent years, the healthcare industry has emerged as a prime target for cyberattacks. Healthcare providers are prime targets for malicious attackers for a number of reasons. They have access to immense amounts of digital patient records that are valuable on the black market, as well as a very complex IT environment comprising various connected devices, outdated operating systems and software, and a sprawling third-party software supply chain network. These issues are compounded with a lack of funding for trained security teams and technology, and insufficient government guidance, leaving the sector vulnerable to persistent cyberthreats.
In this article, we'll dive deeper into why the healthcare industry is a top target for cyberattacks, backed by statistics from trusted sources and research-driven reports. We’ll also make the case for why every healthcare organization needs a strong password manager in order to protect their bottom line.
The data security challenges facing the healthcare industry are multifactorial.
To start, healthcare records are a treasure trove of sensitive information, including personal identifiers, medical history, insurance details, and even financial data. Cybercriminals strive to monetize this type of information on the dark web, making healthcare organizations an attractive target.
Historically, the healthcare industry has lagged behind when it comes to digital transformation and updating systems. This leads to a corresponding lag in updating legacy software and patching existing operating systems and connected devices, creating a weakened security posture overall. The increasing use of electronic health records (EHR) and patient portals has created a bigger attack surface.
Similar to other highly regulated industries, the healthcare space is underfunded and understaffed to properly tackle security threats, resulting in a larger attack surface. A complex IT environment comprising connected devices and disparate third-party vendors requires careful monitoring to ensure security resilience. When IT teams are ill-equipped, healthcare institutions find themselves increasingly vulnerable to incidents that can cause widespread outages that put patients’ lives and their data at risk.
Government agencies have recently released more guidance aligning with the National Institute of Standards and Technology (NIST) cybersecurity framework to harden healthcare security posture. High profile attacks like the Change Healthcare ransomware attack disrupted insurance claims and electronic pharmacy refills, indicating there’s more work to be done. Deterrent measures such as public-private sector information sharing, general security education and awareness, and greater investment in security teams must be priorities, rather than afterthoughts.
Recent data highlights healthcare industry vulnerability to cyberattacks and data breaches. IBM’s report on the average cost of a data breach revealed the healthcare sector experiences the most costly data breaches. And to make matters worse, public reports of hacking incidents targeting healthcare data are increasing rapidly.
The annual data breach report published by the Identity Theft Resource Center (ITRC) revealed the healthcare sector has led all industries in the number of reported breach incidents every year for the past five years.
The vulnerabilities discussed above have led to a rise in healthcare industry ransomware attacks. Attackers encrypt critical patient data and demand hefty ransoms for decryption keys, causing downtime and compromising patient care. In November 2023, Nashville-based Ardent Health Services was targeted by a ransomware attack that forced it to divert ambulances and reschedule elective procedures. In November, 2023, a US Department of Health and Human Services (HHS) hearing revealed that the vulnerabilities plaguing larger health systems are even worse in rural areas lacking the infrastructure of major metro area counterparts..
In 2023, reports revealed that ransomware attacks cost healthcare facilities $77.5 billion in downtime. Organizations like Tenet Healthcare reported a $100 million loss attributed to a ransomware attack, and Scripps Health estimated losses of nearly $113 million primarily due to lost revenue and recovery costs.
Healthcare facilities can mitigate ransomware-related damage by minimizing their attack surfaces. Simple tactical ways to do this include patching vulnerabilities and updating software, training and educating a select group of users who handle the most critical data, and engaging in strategic pentesting to assess areas of weakness. Organizations should also ensure they are leveraging one of the most effective security tools at their disposal: an enterprise-wide password manager.
Another recent report revealed that 42% of healthcare organizations experienced a cyberattack due to unsecure entry points in their systems. To combat these threats effectively, every healthcare organization needs to prioritize cybersecurity measures, and password managers are a cost-efficient solution that can be implemented quickly for immediate impact.
Implementing a HIPAA-compliant password manager like Bitwarden enables healthcare organizations to generate and manage, strong and unique passwords for various systems and accounts, reducing the vulnerability to password-related breaches. Other key benefits include:
Strengthening authentication with seamless single-sign-on and directory integration options
Enforcing strong password policies such as minimum password length and two-factor authentication, adding an extra layer of security
Protecting against credential attacks by eliminating the need to memorize or reuse passwords for multiple accounts, and ensuring employees can share credentials securely
Simplifying compliance with data protection regulations, such as the Health Insurance Portability and Accountability Act (HIPAA)
Additionally, password managers allow for the enforcement of robust password policies, like two-factor authentication (2FA), adding an extra layer of security. By centralizing and encrypting login credentials, healthcare organizations can mitigate the risk of unauthorized access and credential stuffing attacks.
Bitwarden is an open source, enterprise-grade password manager that simplifies the process of generating, storing, and securely sharing unique passwords on any device. For larger healthcare entities that require centralized control over password security, Bitwarden supports advanced features like flexible Single Sign-On (SSO) integration options, LDAP directory service connectors, API access, custom management roles, and activity monitoring through detailed event and audit logs.
HIPAA regulations stipulate that systems used for storing personal health information (PHI), even when data is encrypted, must adhere to HIPAA compliance. That’s why Bitwarden has made the commitment to achieving HIPAA compliance, certified by a third-party auditor, to serve as a trusted Business Associate for healthcare organizations subject to HIPAA regulations.
To explore Bitwarden business features and capabilities, get started with a free trial today.
You may also like: