Healthcare Organisations are under Escalating Attack after the Loss of Patient Data


When discussing cyber-attacks in the healthcare sector, hospitals and payer organisations are under fire. In a recent poll, 62% of the executives surveyed admitted to experiencing attacks in the last twelve months, and more than half of which losing patient data as a result.

Publicly available data that was found and collected in a study by Merlin International and Ponemon Institute’s 2018 Impact of Cyber Insecurity on Healthcare Organisations revealed that out of five industries tracked, the medical/healthcare industry accounted for over 23% of total breaches last year. This resulted in the exposure of over five million patient records. It was only the business sector that saw more successful business attacks, meaning that healthcare organisations have placed second four years in a row now.

A Lack of Coverage

67% of the healthcare providers who were surveyed worked at organisations with patient beds of one hundred to five hundred, using an estimated ten thousand to one hundred thousand network connected devices, or around 66%. That is an easily attractable wide attack surface for criminals, who 77% percent of which are being seen as after patient medical records patient billing information, login credentials, passwords and other various forms of authentications to servers, systems or applications, and clinical trial and other research information.

When it comes to attack vendors, the exploitation of existing software vulnerabilities that are three months old or more are in the lead as the main attack method at 71%, which is closely followed by malware attacks at 69%. Ransomware is somewhat behind at 37% of attacks. 63% of organisations surveyed also stated that they are just as concerned with external attacks ad they are with employee negligence or malicious insiders.

Hazardous Opportunities on the Rise

“In an increasingly connected, digitally centric world, hackers have more opportunities and incentive than ever to target healthcare data, and the problem will only increase in scope over time,” said Brian Wells, Merlin International’s director of Healthcare Strategy. “Healthcare organizations must get even more serious about cybersecurity to protect themselves and their patients from losing access or control of the proprietary and personal information and systems the industry depends on to provide essential care.”

Surprisingly enough, “getting serious” doesn’t seem to hold a firm place on the radar screen. On the medical device security front, 65% of which who were surveyed responded “no” or “unsure” when they were asked if the security of medical devices is part of their overall cybersecurity strategy. And despite these devices appearing to be a new and growing target for attackers, only 31% of those surveyed said to have no plan to have them included within a cyber strategy in the near future.

Not enough being Done

In a similar fashion, 52% of those who were surveyed agreed that a lack of awareness and training for the employees affects their ability to create a strong and stable security stance. The workforce gap also place a role here, as around 74% referred to a lack of necessary staffing as the biggest obstacle to maintaining a fully effective security stance. In addition, only half of organisations have a dedicated chief information security officer, also known as CISO, and 60% of those surveyed are doubtful that they have the correct cyber security qualifications in-house.

What’s worse, despite the respondents saying that the average compromise will cost them $4 million on average, only half of the organisations have any form of incident response program at all. This means that the other half of the organisations don’t have a process for the mitigation and remediation which will be needed in order to respond to and prevent attacks from happening again or causing extensive damage in the future.

Whitehall Media have a calendar packed with cyber security events where businesses can showcase their security products and services designed to keep companies as safe as possible. Take a look at our calendar of upcoming events this year to see where you could benefit your services or find a service that’s right for your business.