Why are cyber attacks are so common in the health sector?
Why data breaches and cyber attacks occur so frequently in the health sector
Globally, a hospital are experiences a cyber attack every 6.8 minutes - healthcare is hit four times more frequently than any other sector. Worse still, ransomware attacks on hospitals may result in mortality rate increases of up to 35% [NPR report].
Attackers have realised that healthcare's digital infrastructure is vulnerable and, most importantly, lucrative. So, why is the health sector such a hotspot for cybercrime, and what can we do to protect ourselves from cyber attacks and data breaches?
Why are there so many cyber attacks in healthcare?
It's important to remember that attackers' main motivation is money. Healthcare is a lucrative business for them for a few key reasons.
Healthcare continues to have the highest data breach cost of any industry, averaging $10.10 million per incident [CheckPoint]
High value of medical records
Medical records hold immense value for cyber criminals.
For example, social security numbers can be sold for around £1 each, while credit card information fetches around £4. However, the real treasure trove for cyber criminals lies in electronic personal health information (ePHI), which is valued between £40 and £200.
Unlike credit card numbers, which can be swiftly cancelled, medical records are immutable and provide enduring personal data that can be exploited indefinitely - ePHI is essentially a goldmine.
Cyber criminals can steal and sell thousands of medical records at once, creating significant financial leverage. Health data, with its rich details such as medical history, insurance information, and personal identifiers, offers prolonged utility and higher resale values.
The high value of medical records incentivises cyber criminals to continuously attack healthcare systems. With healthcare data breaches on the ascent, rising 74% YoY in 2023 [CheckPoint], understanding and mitigating these risks have never been more crucial for protecting sensitive patient information.
Ransom payments in healthcare
Overarching advice from law enforcement is to avoid paying a ransom - paying out only justifies criminal extortion tactics. Unfortunately, healthcare institutions often find themselves under immense pressure to restore systems quickly. Organisations frequently cave to ransom demands to avoid disruptions that can endanger patient care.
The result is that ransom payments in healthcare are paid roughly half the time (47% of the time in the US, resulting in £80M ransom paid out in 2023). And the problem is not specific to private healthcare systems- the Synnovis cyber incident on the NHS in June 2024 came with a $50M ransom demand.
The urgency of restoring vital medical services creates a fertile ground for cyber criminals.
Multi extortion tactics
Multi extortion techniques are an escalating trend in cyber attacks against healthcare, where malicious actors leverage multiple layers of threats.
An example of a "double extortion" attack might involve finding a high profile individual whose data has been breached and leveraging the threat of exposing this data to extract more money.
Such ransomware attacks can be particularly damaging because they significantly increase the pressure on the victim organisation and affected individuals.
What makes healthcare so vulnerable?
There are several industry and technological challenges in healthcare cyber security which make the sector uniquely vulnerable.
Under resourcing and budget constraints
Healthcare organisations and digital health start-ups often face substantial challenges due to under-resourcing, which can force a continuous prioritisation of service delivery over cybersecurity enhancements.
Healthcare is unlike banks or for-profit organisations. It's difficult to put a dollar value on security improvements, as the trade-off is often against patient outcomes. This makes it challenging to justify the cost of robust security measures, leading to difficult decisions that often compromise patient outcomes.
Balancing security and patient care
Ensuring patient care while maintaining cybersecurity is complex.
Legal restrictions add a layer of complexity, necessitating a delicate balance between implementing thorough security measures whilst safeguarding patient data. This makes implementing and updating security technologies which require privileged access to systems challenging.
Security measures must also be meticulously integrated to avoid jeopardising continuous delivery of care. Any approach to cybersecurity must ensure that protective steps do not hinder the rapid delivery of medical services.
- The CrowdStrike outage in July 2024 (in which a service designed to enhance security inadvertently took down 8.5 million Windows systems worldwide) has brought to light how delicate this balance is.
Outdated and specialised systems
Many hospitals still use legacy systems that are no longer supported by regular security updates from vendors, making them vulnerable to new exploits.
Specialised IoT (Internet of Things) devices in hospitals and clinics, many of which run non-Windows environments, are difficult to manage centrally and are inherently vulnerable to zero-day exploits.
- The Wonnacry ransomware attack from 2017 has been found to this day surviving on Stress Test Treadmills in clinics!
Fragmented tooling
In many hospitals, the lack of unified systems poses significant risks. This fragmentation means that efforts to bolster security are often disjointed, leading to blind spots that cyber criminals can exploit. This dispersed nature of tools and process (including firewalls, VPNs, SOCs, Email protection systems, MDM software, etc.) prevents institutions from reacting swiftly and efficiently to emerging threats.
CISOs encounter challenges daily as they are tasked with integrating a myriad of security solutions – an endeavour that is both time-consuming and costly. Despite increased investment into cyber security in recent years, the absence of a consolidated approach hinders overall security efficacy.
What can we do to reduce cyber attacks?
Care institutions and health IT providers of all size have a critical responsibility to acknowledge the threats and take a proactive approach to mitigating risk.
Implementing global guidance and standards
Fortunately, cyber attacks have driven global guidance in recent years and there are recognised frameworks and standards that organisations should implement to product themselves.
- NHS DSPT: The NHS Digital Security and Protection Toolkit (DSPT) is a framework which provides a comprehensive assessment of an organisation's security posture across various domains, including data governance, incident management, and staff awareness. It helps organisations identify gaps and prioritize improvements, ensuring compliance with data protection regulations.
- CAF: The Cyber Assessment Framework (CAF 3.2) is an NCSC framework which offers a structured approach to assessing and improving cybersecurity capabilities. It provides a standardized vocabulary and framework for evaluating cybersecurity maturity across multiple aspects, including risk management, security operations, and governance. (The NHS DSPT is moving to be CAF-aligned in 2024/25)
- UK Cyber Essentials: A UK Government backed scheme to help organisations protect themselves against the most common online attacks. The scheme is specifically designed to be simple and cost effective.
Meeting Cyber Essentials requirements helps organisations establish a stronger security posture, reducing the risk of data breaches and protecting against 98.5% of common cyber threats.
By implementing frameworks like the NHS DSPT, and achieving UK Cyber Essentials certification, digital health companies and healthcare organisations can build a solid foundation for strong cybersecurity. This will allow them to better protect sensitive patient data, maintain operational resilience, and build trust within the healthcare ecosystem.
Assuric can help with achieving all aspects of the NHS DSPT and Cyber Essentials Plus. If you're interested in improving your security posture then talk to us today.
Staff awareness and training programs
Through tailored education sessions and building a culture of cybersecurity awareness, critical skills such as identifying phishing attacks, recognising suspicious activities, and responding swiftly to potential threats can developed. Empowering staff with the knowledge and skills to act as the first line of defence ensures a resilient organisational posture against cyber threats.
80% of organisations say that phishing awareness training helped them reduce the risk of their employees falling for phishing attacks by 60%, yielding a 37-fold ROI [ProofPoint].
Importantly, leadership must foster a culture of cybersecurity awareness and compliance. Executive buy in is essential to building a compliance culture and ensuring the organisation remains protected. Data protection and cyber security best practices should be driven at the board-level.
Regular audits and vulnerability assessments
Regular audits and vulnerability assessments are essential for healthcare organisations to maintain a strong cybersecurity posture. Independent cybersecurity professionals conduct audits, providing an unbiased review of an organisation's security practices. These audits highlight weaknesses, ensure compliance with regulations and standards, and offer actionable steps for improvement.
Vulnerability assessments and manual penetration tests are critical for identifying potential entry points for attackers. By scanning systems and networks for known vulnerabilities, organisations can prioritize the most critical issues and implement timely patches and updates. This proactive approach significantly reduces the risk of data breaches.
Scoping and conducting a manual penetration test is a requirement of the NHS DSPT and NHS DTAC. An audit also forms a part of Cyber Essentials Plus. Assuric can provide penetration testing tailored to digital health companies talk to us today to find gaps in your infrastructure and meet the requirements.
Advanced technology solutions in cybersecurity
Some organisations may look beyond best practices such as Malware and MFA introduced in Cyber Essentials. advanced solutions, such as Extended Detection and Response (XDR), offer a comprehensive approach to detecting and mitigating cyber threats, enhancing overall security posture.
Starting points for digital health companies
Assuric is a platform built from the ground up for digital health companies to comply with regulatory standards and frameworks and adopt a culture of cyber resilience.
By implementing internationally recognised standards, such as Cyber Essentials Plus and NHS DSPT, organisations can significantly strengthen their defences and build a robust base for continuous improvement. Here's how Assuric can help:
- Streamline implementation of standards like Cyber Essentials and NHS DSPT
- Reduce complexity in compliance processes
- Facilitate continuous auditing and assessment of cybersecurity measures
- Enhance staff training in recognising and responding to threats
- Promote senior management engagement for a compliance culture
Get started with the Assuric platform today: