Cybersecurity: News and Tips for Hospitals and Healthcare Facilities

As our society continues to move more of our social, professional, and medical lives onto the internet, it's not only our social media and email accounts that are being targeted. It's our personal health information (PHI) as well.

Sign Up
picture of a doctor and patient reviewing medical records
Written by
Miranda Kay, RN
March 6, 2023

The transition to electronic health records (EHR) and electronic medical records (EMR) has continued and increased. While it has allowed efficiency and improvement in medical service delivery, it has also amplified the need for more attention, budget, and planning for better cybersecurity. As our society continues to move more of our social, professional, and medical lives onto the internet, it's not only our social media and email accounts that are being targeted. It's our personal health information (PHI) as well.

According to an interagency report by the U.S. government, "Ransomware is the fastest growing malware threat, targeting users of all types—from the home user to the corporate network. On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016." Ransomware gangs are criminal hackers that attack their target's systems, stealing data and demanding ransom for its return.

healthcare worker in hospital dealing with sensitive information
Radiologist views sensitive patient information

According to another report published by cybersecurity firm Sophos, the healthcare sector is a major target, with the number of attacks doubling from 2020 to 2021 amidst a global pandemic no less. As the saying goes, there is no honor among thieves, and certainly not among Ransomware gangs. These attacks on hospitals result in procedural disruption, loss of vital patient information, appointment cancellations, and even patient mortality. So why are hospitals such lucrative targets for ransomware gangs?

For more healthcare news, read our article about the ban on noncompetes, which frees up healthcare professionals to take control of their careers and ultimately, destinies.

Table of Contents

Why Ransomware Gangs Attack Hospitals

Each person's healthcare information is a lucrative mine for hackers and threat actors on the dark web. The selling of this information contributes to the exploitation, misinformation, negative propaganda, and phishing scams of people every day. PHI is reportedly more valuable than credit card information. Credit cards can be canceled, and email addresses and phone numbers can be blocked, but how does a person address medical information theft? That information can be used to obtain free medical care, lobby false medical claims, max out insurance coverage, and leave a person without coverage. Remember that PHI also includes birth dates, social security numbers, and former mailing addresses, which can all be sold or used for other forms of identity theft.

Hospitals and healthcare facilities that operate in the private sector are particularly susceptible to ransomware demands because, unlike government-funded facilities, which use and are funded by taxpayer money and, therefore, seldom pay the ransom, the private sector boards can choose to pay the demanded ransom to have the information returned. Sophos' report indicates that 61% of responding facilities admitted to paying ransom demands.

person with hand outstretched with HIPAA logo
What is HIPAA and why is it important?

They've proven they are not only vulnerable to the attacks but that they are likely worth the trouble and risk associated with the attacks to the hackers in the face of criminal charges and violations of HIPAA. Unfortunately, the fact that they tend to pay the ransom has created a vicious cycle. To learn more about HIPAA updates for 2023, you can read our two-part series, with the first and second pieces.

HIPAA 2023 Updates: Health Insurance Portability and Accountability Act

HIPAA Updates 2023: News and Awareness Part 2

What Does HIPAA Stand For?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. It is the federal law in place that protects private patient information and prevents it from being shared without express consent.

How Can Hospitals Improve their Cybersecurity?

HIPAA compliance can help prevent malware and ransomware attacks by implementing specific security measures:

  • Implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;
  • Implementing procedures to guard against and detect malicious software;
  • Training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and
  • Implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

Hospitals can implement the changes necessary to secure cyber insurance. As of 2021, only 78% of healthcare organizations in Sophos' report had coverage. Cyber insurance is a challenge for healthcare facilities to qualify for coverage because insurers seek to reduce risk, and the healthcare industry is well-known as a target. Nevertheless, by shoring up its cyber defenses and meeting the requirements to gain cyber insurance, they are taking important steps to reduce its risk of successful cyber-attacks and protect PHI.

picture of a phone with security lock screen
It's important for patients to know their information is kept private.

Hospitals can and should increase their allotted budget for cybersecurity. Statista's 2021 report on cyber security budgeting for U.S. healthcare organizations showed very little is set aside to face this massive threat.

  • 18% of healthcare organizations reported 1-2% of their budget
  • 22% of healthcare organizations reported 3-6%
  • 15% of healthcare organizations reported 7-10%
  • 6% of healthcare organizations reported more than 10% 
  • 23% of healthcare organizations said no specific amount is set aside for cybersecurity, but money is spent
  • 1% of healthcare organizations reported no money is spent on cybersecurity
  • 18% of healthcare organizations said they don't know

The need for better budgeting for cybersecurity will make a hospital or healthcare facility more vulnerable to attack. Hospitals and healthcare facilities often pay ransoms to recover stolen information, but on average, they only recover around 65% of the data. If hospitals and healthcare organizations remain vulnerable to attacks and don't implement necessary security measures, they will remain a lucrative target to ransomware gangs.

Miranda Kay, RN
Blog published on:
March 6, 2023

Miranda is a Registered Nurse, Medical Fact Checker, and Publishing Editor at Nursa. Her work has been featured in publications including the American Nurses Association (ANA), Healthcare IT Outcomes, International Living, and more.

Featured Articles

TRUSTED by 1,300+ Facilities, 28 states and counting
Legacy Village Logo
Intermountain Healthcare Logo
Life care Centers Of America Logo
Cascadia Healthcare Logo
Briefcase purple icon

Join 1.300+ Facilities

The smartest facilities use Nursa to fill in shifts in 28 states and counting. Join to get staffing solutions now.

Sign Up
Building Purple Icon

Post Your Jobs Today

Facilities who use Nursa fill 3 times as many open per diem shifts, on average, compared to trying to fill the shifts themselves.

Post Jobs