Why Healthcare Gets Hit Hardest With Cyberattacks
Our health data is some of the most confidential information we have, and the systems that most healthcare companies use to protect it from cybercrooks are somewhat sickly.
Thanks to a toxic mix of aging hardware, outdated software and shoestring operating budgets, they're increasingly susceptible to cybercriminals who are not only lured by a gold mine of data but also armed with state-of-the-art hacking tools, experts told The Daily Upside, leading to some of the largest data breaches in history. And the risks extend far beyond lost data and eye-popping ransom payments.
'There's really a direct danger to patient care and life,' says Rob Hughes, chief information security officer at security firm RSA. 'That's as serious as you can get. It's a different type of pressure.'
READ ALSO: NBA Finals Kick Off With an Old (Footwear) Friend and Tariffs Deliver Record Drop in US Trade Deficit
Statistics back him up: Last year was a landmark for healthcare data breaches. According to HIPAA Journal, there were 14 attacks involving the records of 1 million or more patients in 2024, exposing the records of more than 237 million individuals altogether. The biggest healthcare breach in history occurred only two months into the year, when ransomware attackers stole the data of 190 million people from Change Healthcare in February.
'There are a lot of vulnerabilities that healthcare organizations don't even realize they have,' said Alpesh Shah, vice president of security strategic alliance at Myriad360. 'Every individual who is touching a smart device is vulnerable to bring some sort of threat to the organization.'
The technological advances that have revolutionized healthcare over the past 50 years have simultaneously ramped up cybersecurity risks exponentially. The amount of personal information collected at healthcare facilities is mountainous, with every machine collecting bits of data on patient health at a constant rate.
Many of the technologically complex devices used daily or even hourly are operating on outdated software, Hughes said, a combination that leaves medical centers riddled with vulnerabilities.
For instance? A big MRI machine that still makes a nice MRI image but runs 'an old version of Windows that can't accept patches anymore,' he said.
Exacerbating the problem are security measures that often involve a patchwork of systems inexpertly quilted together, said Gary Salman, CEO of Black Talon Security. Healthcare organizations often use security solutions from multiple vendors, which can lead to a lack of standardization or centralization, he said.
While this puts them in a 'feel-good position,' the mishmash of products may not always cover the ground that it should while creating both unnecessary complexity and a glut of data. 'How do you triangulate all of this, especially in medium- and large-size healthcare organizations?' he asked.
At a more strategic level, few shareholders and healthcare practitioners prioritize cybersecurity budgets, focusing instead on delivering patient care. Smaller regional and rural healthcare facilities are often living below the 'cybersecurity poverty line,' he said. 'Security is going to come second.'
Plus, talented cybersecurity professionals have become increasingly sought after and expensive. And because of healthcare's limited budgets for technology, it doesn't always get the best cybersecurity talent, said Shankar Somasundaram, founder and CEO of Asimily.
'Healthcare may not always be able to pay the same amount,' said Somasundaram. 'Strong talent would go to another vertical, where they're getting paid more.'
While formidable to healthcare executives, the tangled web of cybersecurity challenges merely sweetens the pot for hackers who, according to Salman, view healthcare data as a 'pot of gold.' The information is highly sensitive, incredibly personal and usually deeply detailed. Plus, organizations are collecting massive amounts at a constant rate, he said. 'Any size healthcare organization that has anywhere from thousands to millions of patient records – the risk is high,' Salman said.
Selling such data to brokers through underground channels is also far more lucrative than pushing other types of data, Somasundaram added. When hackers sell credit card information, 'they have to collect 50 credit cards to make a single dollar,' he said. 'They can sell a healthcare record for tens of dollars each.'
Because of the sensitivity of health data – and the fact that these records generally can't be wiped or changed the way a credit card or phone number can – healthcare organizations will often pay up when hit with ransomware attacks, said Salman.
'Imagine having a human being's complete demographic profile. That data could be sold to pharmaceutical companies,' said Shah. 'Thieves will go where the money is. And data is the new money.'
Data loss is only the beginning of the problem, added Hughes. Cyberattacks can completely shut down healthcare facilities, forcing patients to seek care elsewhere, he said. In extreme cases, cyberattacks on healthcare organizations have been linked to fatalities, such as the 2019 attack on a hospital in Alabama that led to the death of a newborn.
'There is a state of mind that hackers are moral,' said Itay Glick, director of product at security firm OPSWAT. 'We need to understand that not all the attack groups share the same ethical standards that we think they should.'
Despite the growing risks, healthcare organizations all too often simply react to attacks rather than working to prevent them, said Salman. Along with putting patients at risk, the strategy ends up costing organizations a far larger sum than they would have paid to establish adequate cyber defenses.
While change often happens slowly, there are a variety of steps healthcare organizations can take to make themselves less attractive targets.
Some are simpler, such as consistent security patching, strengthening credentials and providing cybersecurity education to staff, said Hughes. Vulnerability and penetration-testing can also help organizations identify their biggest pitfalls, said Glick.
Backup Plan: Backing up data, meanwhile, is vital for healthcare organizations, Glick added. Since a major part of ransomware attacks is 'winning your data back,' having a backup stored can allow an organization to quickly recover, he said.
The most important fix, however, is making cybersecurity a priority, especially among leadership and stakeholders. Change and awareness have to come from the top, said Somasundaram. Rather than viewing cybersecurity as an additional cost, corporate decision-makers should treat it as a vital necessity.
'In any industry which prides itself on patient outcomes and patient wellness and improvement, they see cybersecurity as a cost, not an outcome-based thing,' Somasundaram said. 'But if they could see the tie between cybersecurity and patient impact or lives, then I do believe they'd invest.'
This post first appeared on The Daily Upside. To receive delivering razor sharp analysis and perspective on all things finance, economics, and markets, subscribe to our free The Daily Upside newsletter.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Medscape
an hour ago
- Medscape
When Junior Residents Challenge Chief Attendings
Life as a medical student is far from easy. Every day, you grapple with a vast course load, erratic shifts during clinical rotations, stress, anxiety, and burnout. Yet, once you've reached the summit of that academic journey and are conferred with your medical degree, you start your residency, shiny new objects surrounded by much more experienced people. As a young resident or medical student, the mere idea of disagreeing with an attending physician in a position of power may raise hairs. After all, junior residents and students often look up to attendings, seeing them as versatile healers who can seemingly fix any ailment as they attend to the wards they lead. As a third-year medical student on call late at night, Suresh Mohan, MD, found himself in disagreement with a senior physician — the chief resident — over the treatment of a patient, which then escalated into an acute emergency. 'I quickly realized [about this senior physician] 'I think you're letting your ego get in the way of doing the right thing for the patient.' That was the first time I disagreed with the way that I watched this person manage something…I realized it was a very human emotion that got in the way of them doing the right thing,' said Mohan. Bleeding Trachea, Bold Dissent Mohan is now an otolaryngologist and surgeon at Yale Medicine, New Haven, Connecticut, with a specialty in reconstructive and cosmetic surgery for the face, head, and neck. But the experience he had as a third-year student still resonates with him. With few people around to help, Mohan found himself relatively alone. 'Sometimes, you're the only trainee in the hospital…the only doctor in the hospital that's responsible for all the patients that need ENT [ear, nose, and throat] care,' he said. While on call late that night, Mohan and his chief resident were called in on a consult for a patient's bleeding trachea after the patient had undergone a tracheotomy earlier that morning. During a tracheotomy, a surgical opening is made in the neck and a tube is inserted directly into the trachea. It is usually performed by an otolaryngologist. Bleeding from tracheotomies can range from minor oozing due to irritation or suction trauma to life-threatening hemorrhages if a major vessel is involved. Upon seeing the patient, the chief resident said there was nothing to worry about and they will continue to monitor the patient. An hour later, Mohan was called again, but his chief maintained that everything was fine. 'Of course, in the back of my head, I'm wondering if it's bleeding more,' said Mohan. Within the next few minutes, they were called two more times to see the patient, and yet his chief was adamant that no further action needed to be taken at that time. 'Eventually a code was called…we were rushing over there…and it turns out the trach was not fully in the airway,' Mohan said. 'The patient was having trouble breathing and causing more to happen from that…it escalated quickly into a much more acute emergent situation.' Mohan and the team started yelling for instruments, trying to get the trach tube back in place in the patient's trachea. Fortunately, they were able to secure the airway. One of Mohan's biggest takeaways from the experience: 'It doesn't matter if they call you three times, you still need to do the right thing.' Post-Bariatric Bleeding Incident As a third-year general surgery resident, Joshua Rarick, MD, found himself on call and alone at Covenant Hospital in Saginaw, Michigan. In the late evening during a 24-hour shift, a patient's vitals began to drop following a Roux-en-Y gastric bypass. Rarick had not personally performed the initial surgery, but as the resident on call, he had to respond to nurses messaging him with concerns about the patient's blood pressure dropping. 'To me, it looked like the patient was probably bleeding, so I had called the attending to update them,' he said. Rarick tried to temporize the bleeding, but his attending didn't agree. After a few hours of fluids, during which the patient would transiently respond, eventually the patient's vitals and pressure came back down because she was still bleeding. '[My attending] disagreed with my plan to go back to the OR [operating room], but eventually we had to go back to the OR because there was a bleeder that we needed to clip,' Rarick said. Rarick is now a fourth-year general surgery resident. He said these types of interactions aren't uncommon, and not all disagreements end with tempers flaring. 'Sometimes, attendings disagree with you, and they say, 'No, let's do this instead,' which is normal,' Rarick said. 'But that was one of the first times that there was an actual disagreement with what I thought the plan should be.' Advocating for Optimal Patient Care As a medical student or junior resident, if you truly feel a patient's case isn't being properly handled, don't be afraid to speak up in a conciliatory manner. 'There are many situations where seasoned attendings are so specialized, their knowledge in other areas of the field might be lacking or just not up to date,' said Mohan. 'So especially as residents who are on top of all the latest info, you have an opportunity to educate, but doing so in a way that's palatable is really important.' But what if an attending disagrees with a junior resident's or student's concerns, and the latter still feels strongly about the mishandling of a patient's case? In extreme cases where all other resources are exhausted, you'd want to contact a hospital ombudsman, clerkship director, site director, or even faculty mentor, said Mohan. 'If there's something egregious happening, and the resident or student doesn't feel comfortable approaching in a direct format, ombuds people are able to report a concern,' he said. Mohan listed an order of resources to consult before this, however. 'First, look it up to understand if your question is reasonable. Two, talk to a resident to try to get some more knowledge. Then, if you're still not feeling comfortable, and gently assuming that the attending is not receptive, I think finding other faculty mentors is probably the next place to go. And if you're really feeling lost, then contact an ombudsperson.'
Yahoo
an hour ago
- Yahoo
Domestic violence incident near Quincy under investigation
Jun. 9—QUINCY — A domestic violence situation involving a firearm unfolded late Saturday evening in the unincorporated Quincy-Ephrata area in the 11000 block of Road G-Northwest, prompting a multi-agency response from local law enforcement, according to a statement from the Grant County Sheriff's Office. Authorities were alerted around 10 p.m. to a report of a 55-year-old woman whose domestic partner allegedly held a shotgun to her head during a confrontation. The victim managed to escape the situation. The suspect, a 44-year-old man, reportedly used the shotgun to shoot himself in the head. He was subsequently transported to Harborview Medical Center in Seattle; however, details regarding his current condition remain undisclosed, according to Grant County Sheriff's Office Public Information Officer Kyle Foreman. He also addressed the seriousness of the situation, emphasizing the importance of seeking help. "I always suggest that victims call 911 if they believe that they or someone they know is experiencing domestic violence," he said. Following the incident, resources for domestic violence assistance were made available to the victim. The identities of both the victim and the suspect have not been released due to the sensitive nature of the case. The investigation continues, with cooperation from the Quincy and Ephrata Police Departments, along with Grant County Fire District 3 and Columbia EMS. Domestic violence resources: New Hope 509-764-8402 Hope Source 509-707-0179 Opportunities Industrialization Center 509-765-9206 Crossroads Resource Center 509-765-4425 Housing Authority of Grant County 509-765-4425 Renew Grant Behavioral Health and Wellness 509-765-9239 Adams County Integrated Health Care Services 509-488-5611 Family Services of Grant County 509-766-9877 Northwest Justice Project 509-381-2332 Planned Parenthood 866-904-7721
Yahoo
an hour ago
- Yahoo
Nassau County Exec Bruce Blakeman's shocking move throws wrench in Hochul's hospital ‘takeover'
Nassau County executive Bruce Blakeman refused to nominate anyone to Nassau University Medical Center's board — saying in a surprise announcement Tuesday he was protesting Gov. Kathy Hochul's 'illegal' takeover of the hospital. Blakeman, a Republican, was set to announce his picks for the NUMC board of directors after at least 10 executives resigned in protest to New York state's takeover of the facility — but instead said he will not be naming anybody to the Democratic governor's 'puppet board.' 'The state blatantly passed a law, which is illegal, to take over Nassau University Medical Center with the sole interest in closing the hospital as we know it,' Blakeman told reporters at a press conference outside the hospital. He called NUMC 'one of the finest medical facilities in the United States' and said he won't stand for state officials shutting it down. The state has denied allegations that it plans to shut down the hospital or convert it into a mental or behavioral health facility. But a 2024 letter from the state Department of Health, which was obtained by The Post, said the agency determined that the only way for the hospital to be fiscally sustainable is to cut staff and multiple departments and convert to a behavioral health facility. The letter was signed by Hochul. Blakeman blasted Hochul and state officials, accusing them of bringing on a financial crisis. 'The state has defunded this hospital with the intent to take it over and make this bogus claim that there is a financial crisis,' Blakeman said. Former NUMC chairman Matthew Bruderman has filed a lawsuit accusing the state of systematically defunding the hospital in a convoluted scheme. The allegations sparked a federal investigation. 'Now the state, without any transition plan, without any coordination whatsoever, has taken this power grab, and let's be clear, this is nothing more than a cover-up,' Blakeman said, citing the allegations. NUMC said they've turned around the fiscal disaster since new leadership under Blakeman took the reins and is now on track to profit $11 million this year without cutting any jobs or departments — despite being in the hole hundreds of millions of dollars just a few years ago. Blakeman and hospital staff said the state provided $180 million in subsidies to the hospital in 2021 but has provided no aid in 2024 and 2025 — claims Hochul's office denied. 'We want the state to fund this hospital as they've done before, and this hospital has done a great job, the turnaround of this hospital the last four years has been remarkable because of the people standing behind me,' he said of the medical staff surrounding him. 'Instead of being partners, they want us to be puppets. That ain't happening.' Gordon Tepper, the governor's Long Island spokesperson, called Blakeman's remarks 'ridiculous.' 'The board's restructuring is the best possible news for anyone who relies on NUMC,' he told The Post. 'There's been gross mismanagement at the hospital for years under the County's watch which has forced this desperately needed intervention.' A day after the 10 executives announced their resignation from the board last week, Hochul named former head of Hofstra University Stuart Rabinowitz to helm NUMC's board, along with three other new appointees, the governor's office announced. Hochul chooses the chair and gets six picks in total on the hospital's new board, including one recommended by the Assembly speaker and another recommended by the head of the state Senate. Two were to be appointed by Blakeman while the Nassau County Board of Legislators gets three picks for the board: two from the GOP majority and one from the dem minority. A legislature source told The Post that the GOP majority plans on following Blakeman's decision and not appointing anybody to the board. The Democrats meanwhile, slammed Blakeman's decision as a ''blatant refusal to do his job' and said they plan to move forward with their nomination. 'We intend to make our appointment to the NUMC board because we follow the law and put patients before politics,' Democratic Nassau County Legislator Seth Koslow said. 'His administration drove NUMC into financial and operational chaos. Now the state is stepping in to stop the bleeding, and instead of helping, he's walking off the field,' he added.
