6 biggest healthcare security threats

Cyberattacks targeting the healthcare sector have surged since the COVID-19 pandemic and the resulting rush to enable remote delivery of healthcare services. Security vendors and researchers tracking the industry have reported a major increase in phishing attacks, ransomware, web application attacks, and other threats targeting healthcare providers.

This year’s rise in ransomware in healthcare, in particular the Change Healthcare breach, has been a headline-grabbing wake-up call for healthcare execs.

The trend has put enormous strain on healthcare security organizations. “The healthcare industry is under siege from a range of complex security risks,” says Terry Ray, senior vice president and fellow at Imperva. “Cybercriminals are hunting for the sensitive and valuable data that healthcare has access to, both patient data and corporate data.”

Many organizations are struggling to meet the challenge because they are under-resourced and rely on vulnerable systems, third-party applications, and APIs to deliver services.

Moreover, IT systems are increasingly used to optimize clinical encounters and patient care. For example, ambulance crews can obtain detailed medical records for patients from tablet devices on scene; the national mobilization app (NMA) in the UK is currently being introduced to modernize and standardize this across all NHS ambulance services.

Implantable devices, such as loop recorders, are increasingly being used to aid diagnoses, for example, of cardiac arrhythmias. These devices support telemetry, as do wearable devices, by transmitting patient data. Important healthcare decisions are made based on this data, with patient data being far more available due to advances in IT.

The increasing usage of IoT and IT in healthcare have had positive effects in terms of clinical efficiency and decision-making certainty, but it does mean greater attention to risk assessments is necessary; the past days of patient data being stored in locked filing cabinets are long gone, says WithSecure principal consultant Stuart Morgan.

“The impact of patient data being manipulated or leaked is intuitive and well understood, but the risk of denial of service — whether malicious or unintended — can be huge,” Morgan tells CSO. “Although resilience is built in to these systems to a degree, resorting to backup systems are by their nature far less efficient; the inability for ambulance crews to review clinical history, patients to obtain electronic prescriptions, or clinicians at home losing access to the ambulance dispatch system have huge practical effects in the community in which they work because the general processes in place have been written on the basis that these systems are functional.”

Imperva’s Ray and other security experts have identified multiple issues that present major threats to healthcare organizations today. Here are six of them.

1. The rising ransomware threat

Ransomware has emerged as one of the biggest cyber threats for healthcare today. Attackers have discovered that healthcare organizations delivering life-saving treatments can be more easily extorted than victims in almost every other sector. Many healthcare organizations are also more susceptible to attacks because of new digital applications and services they have launched to address demand for telehealth services, among other digitalization efforts.

Ransomware attacks against the global healthcare sector have steadily increased since the pandemic. From 2022 to 2023, healthcare ransomware victims jumped 81%, according to a study by US Office of the Director of National Intelligence. Security vendor SonicWall reports that 91% of malware-related healthcare breaches so far in 2024 have involved ransomware.

Examples of publicly disclosed ransomware attacks against healthcare services and hospital are legion.

For example, a ransomware attack on Ireland’s public health system in May 2021 forced administrators to cancel or reschedule thousands of appointments and surgeries after attackers locked some 2,000 patient-facing systems.

Change Healthcare suffered a devastating ransomware attack in February 2024 that disrupted insurance claim processing, prescription dispensing, and financial settlements with a huge impact to many hospitals, clinics, and pharmacies across the US. In August 2024, Michigan-based McLaren Health Care suffered the second of two ransomware attacks over the course of just 12 months.

Electronic health records (EHRs) and systems present the biggest risk in healthcare today, says Caleb Barlow, president and CEO of CynergisTek. “Past attacks have shown when a hospital undergoes a ransomware-induced lockdown period, access to EHRs is shut down, and patients may have to be diverted for care,” he says. “Such attacks can prevent access to critical prescription information and dosing for patients with complex, chronic conditions like diabetes or cancer. Worse, hackers can potentially take it a step further and manipulate health record data to undermine patient care.”

Historically, healthcare institutions transferred this risk to cyber insurance, but that is becoming more difficult because insurers are making it harder for organizations to purchase ransomware protection without specific controls such as multi-factor authentication and endpoint detection and response technologies, Barlow says.

2. Cloud vulnerabilities and misconfigurations

Many healthcare organizations have adopted cloud services as part of broader digital transformation initiatives, with the pandemic and associated increase in demand for remote telehealth services having accelerated that move. As a result, patient health information (PHI) and other sensitive data is increasingly being hosted in vendor cloud environments.

The trend has broadened the attack surface at healthcare organizations, making them more vulnerable to attacks targeted at stealing PHI, insurance information, and other sensitive data, says Anthony James, vice president of products at Infoblox. Healthcare organizations often use multiple cloud vendors and services with different security standards and practices making it hard to apply a consistent policy for protecting data across the cloud environment, he says.

Fifty-three percent of healthcare IT pros surveyed in 2021 by CyberRisk Alliance Business Intelligence on behalf of Infoblox said their organizations experienced a cloud-related data breach over the proceeding 12 months. PeakTPA, a provider of health plan management services, in March 2021 disclosed that PHI belonging to some 50,000 Medicare and Medicaid program customers had been accessed and exfiltrated from two of its cloud servers. In another high-profile instance from 2020, sensitive data belonging to over 3.1 million patients was found lying exposed in an unprotected cloud database believed to belong to a vendor of patient management software.

More than one-third (34%) of victims in the Infoblox survey described their breaches as costing them $2 million or more. Forty-seven percent said they had experienced a malware attack targeting a cloud-hosted asset and 37% said they had experienced an insider attack involving PHI and other data stored in the cloud.

More recently, 61% of healthcare companies said they experienced a cloud cyberattack in the past 12 months, with 86% of these attacks resulting in financial losses or significant damages, according to a February 2024 report by healthcare software developer KMS Healthcare.

3. Web application attacks

Web application attacks targeting healthcare entities have spiked sharply in recent years, starting largely during the COVID pandemic when researchers from security vendor Imperva observed a 51% increase in web application attacks on hospitals and other healthcare targets in December 2020.

On average, healthcare entities experienced 498 attacks per month that year, with cross-site scripting attacks being the most common, followed by SQL injection, protocol manipulation attacks, and remote code execution/remote file inclusion attacks.

“Technically speaking, web application attacks can be incredibly challenging for under-resourced healthcare organizations to manage,” Ray says. To address the issue, healthcare organizations must implement controls that enable better visibility into third-party applications and API connections, he says. Only then will the security team be able to understand who is trying to access critical data and whether that activity should be permitted.

Web applications became the No. 1 vector for data disclosure in healthcare in 2021, according to a study by Verizon, whose research was based on analysis of 849 incidents, 571 of which involved a confirmed data disclosure.

In 2024, SonicWall estimates around 60% of attacks slung against healthcare organizations targeted Microsoft Exchange.

4. Bad-bot traffic

Traffic from bad bots — such as those that attempt to scrape data from websites, send spam, or download unwanted software — present another major challenge for healthcare organizations. The problem has become especially pressing when governments around the world began setting up new websites and other digital infrastructure to support COVID vaccine registrations and appointments. Bad actors bombarded these new, hastily established and largely untested sites with a huge volume of bad-bot traffic.

Imperva says it has observed a 372% increase in bad-bot traffic on healthcare websites in the first year of the pandemic.

“Increased levels of traffic result in downtime and disruption for legitimate human users who are trying to access critical services on their healthcare providers’ site,” Ray says. “It might also result in increased infrastructure costs for the organization as it tries to sustain uptime from the persistent, burdensome level of elevated traffic.”

From January 2023 to June 2023, bad bots made up 30% of internet traffic, according to a study by security vendor Barracuda. The latest 2024 edition of Imperva’s Bad Bot report estimates malign bots account for nearly a third (32%) of internet traffic.

Imperva reports that the healthcare sector has seen a rise in bad bot traffic, with 33.4% of website traffic originating from bad bots, compared to 31.7% in the previous year.

Bad bots can lead to healthcare data breaches, for example through credential stuffing attacks against patient accounts, and scraping of sensitive health information.

Cybercriminals target confidential health information, such as patient records, medical history, and insurance details because this stolen data can be sold on the dark web for profit or used for fraudulent activities, Imperva warns.

5. Increased phishing volumes

Phishing attacks pose a major threat to the healthcare industry as they do in almost every sector. Again, the pandemic provided a unique backdrop for a rise in phishing volumes versus healthcare organizations. An analysis that researchers at Palo Alto Network’s Unit42 team conducted recently showed an 189% increase in phishing attacks relating to or targeting pharmacies and hospitals between December 2020 and February 2021. Vaccine-related phishing attacks soared 530% over the same period.

According to the vendor, in the early stages of the pandemic many phishing lures involved testing and personal protective equipment (PPE). It then shifted to stimulus and government relief programs and then to the vaccine rollout.

In a survey of 168 healthcare cybersecurity professionals conducted by Healthcare Information and Management Systems Society (HIMSS) at the time found that phishing was the typical initial point of compromise for most security incidents.

“Phishing attacks are the top type of significant security incident reported by respondents,” HIMSS noted in its report. “Phishers were the top type of threat actor responsible for significant security incidents at healthcare organizations.”

Stats compiled by the US Department of Health and Human Services (HHS) record that 18% of 4,419 reported breaches of PHI between October 2009 and the end of 2021 involved either phishing attacks or the hacking of email accounts, the HIPAA Journal reports.

Phishing was the initial vector in high profile attacks against healthcare organizations Anthem (2015) and Magellan Health (2020), among others.

A study by BMJ, the UK medical journal, found that around 3% of emails sent to hospital staff over a one month period were suspected threats.

While many staff appear to be aware of phishing and respond appropriately, ongoing education is required — particularly about the risk of leaking information of potential use to attackers through social media, the BMJ advised.

6. Smart devices

Wearable and implantable smart medical devices are a proven cybersecurity risk. These technologies certainly offer better analysis, assisting diagnosis of medical conditions while aiding independent living, but mistakes made in securing such medtech have exposed vulnerable users to potential attack.

A seminal moment was the late Barnaby Jack’s hacking of an insulin pump in 2011. This attack over Bluetooth had a maximum range of approximately 300 meters.

Since then, security researchers at Pen Test Partners have found “closed loop” insulin trial data on the public internet.

“In one case, we could have modified the readings taken by the body-worn continuous glucose monitor and automatically, remotely administered a fatal dose of insulin to around 3,000 users in the trial,” Ken Munro, managing director of Pen Test Partners, tells CSO. “Fortunately, the vendor involved responded very quickly to our report and had the system secured the same day.”

Other connected medtech devices Pen Test Partners have found security issues with include cranial stimulators, dosing pumps, and medical robots, among many others. Fortunately, the smart devices threat has been recognised and regulators are starting to take action.

For example, the US Food & Drug Administration (FDA) introduced FD&C 524b last year to drive cybersecurity in connected medical devices.