What are the most common cyber threats in healthcare?

The healthcare sector remains one of the most critically sensitive areas vulnerable to cyber threats. According to recent reports, the healthcare industry is one of the most breached industries, ranking first in 2022 and second in 2023. 

As healthcare institutions increasingly rely on electronic medical records, telemedicine, and other technology-driven services, the scope for cyber attacks has escalated dramatically. These institutions represent a treasure trove of sensitive data—ranging from personal health information to financial details—which, when breached, can fetch high prices on the black market, making them a lucrative target for cybercriminals.

A combination of factors further compounds the vulnerability of the healthcare sector. Many healthcare systems are burdened with outdated infrastructure and a lack of dedicated cybersecurity resources, making them ill-equipped to fend off sophisticated cyber threats. Additionally, the high-stakes nature of healthcare data, coupled with the sector’s critical need for 24/7 operational continuity, creates unique challenges. Cyber attacks can not only compromise patient privacy but also disrupt healthcare services, leading to potentially life-threatening situations.

Understanding the nature of these cyber threats, their consequences, and the necessary protective measures becomes paramount in this context. 

Most common healthcare cyber threats

Ransomware

Ransomware is a type of malicious software that encrypts a victim’s files or locks them out of their systems, with the attacker demanding a ransom to restore access. The mechanism is straightforward: once the ransomware infects a computer or network, it either encrypts data with a key known only to the attacker or locks users out of their systems. Victims are then presented with a ransom note that explains how to pay to get the decryption key or regain access.

Phishing

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack, or the revealing of sensitive information.

Phishing poses a significant threat to the healthcare sector due to the sensitive nature of the information involved and the sector’s reliance on electronic communications.

Business email compromise (BEC)

Business Email Compromise (BEC) is a sophisticated scam targeting organizations with the aim of extracting money or sensitive information via fraudulent wire transfers or data leaks. This type of attack involves cyber criminals impersonating executives or trusted vendors and sending seemingly legitimate emails to employees. These emails often request urgent wire transfers or confidential information, exploiting the trust and authority of the impersonated individual.

BEC attacks can have particularly devastating effects on healthcare providers due to the sector’s reliance on prompt communication and the frequent exchange of sensitive data.

Account takeover

An account takeover occurs when a cybercriminal gains unauthorized access to a user’s account credentials and uses them to seize control of the account. This can involve patient accounts, employee accounts, or administrative accounts within healthcare systems. Attackers typically use stolen credentials, often obtained through phishing attacks, data breaches, or using credentials dumped on the dark web, to access sensitive systems and data.

Distributed Denial of Service (DDoS)

A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks are carried out using multiple compromised computer systems as sources of attack traffic. They can range from simple nuisances to severe disruptions depending on the scale and target.

Biggest cyber attacks in healthcare

Anthem Blue Cross

In December 2014, Anthem, one of the largest health insurance companies in the U.S., experienced a massive data breach executed by Deep Panda, a sophisticated cyberespionage group. The attackers compromised Anthem’s database and extracted personal information belonging to approximately 80 million individuals. This information included names, birthdays, social security numbers, healthcare IDs, addresses, email addresses, employment information, and income data.

The breach was not detected until January 2015, highlighting significant vulnerabilities in Anthem’s security systems. Following the discovery, Anthem was subjected to multiple lawsuits and investigations, emphasizing the necessity for improved cybersecurity measures within the healthcare industry. The total cost incurred from the breach approached $260 million, covering legal settlements, enhanced security measures, and compensations to affected customers. This incident underscored the critical importance of safeguarding sensitive data and implementing robust cybersecurity protocols to deter such attacks in the future.

Premera Blue Cross

In March 2015, Premera Blue Cross announced a data breach that compromised the sensitive information of approximately 10.4 million individuals. This breach involved unauthorized access to data including social security numbers, bank account details, and health information, which began in May 2014 and went undetected until January 2015. The breach was linked to a sophisticated cyber attack, and the delay in detection highlighted significant gaps in Premera’s cybersecurity practices.

As a result of this breach, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) imposed a penalty of $6.85 million on Premera, marking it as the second-largest fine under the Health Insurance Portability and Accountability Act (HIPAA). The OCR’s investigation revealed that Premera had failed to conduct an adequate risk analysis and did not have sufficient measures in place to manage the security of sensitive personal and health information. Following this, Premera agreed to implement a corrective action plan to address these issues and improve their security framework. 

TRICARE

The TRICARE data breach in 2011 was one of the largest affecting U.S. military personnel, impacting approximately 4.9 million individuals. The breach occurred when backup tapes containing sensitive personal and health information were stolen from an employee’s car. The data included Social Security numbers, names, addresses, phone numbers, health information, and billing data. This breach highlighted significant security risks in handling and storing sensitive health data, particularly regarding the transportation and physical security of backup media.

In response to the breach, TRICARE and its contractor, Science Applications International Corporation (SAIC), faced widespread criticism for their data handling practices. Investigations focused on the security measures in place and the decision to transport sensitive data in such a vulnerable manner. The incident led to calls for stronger security protocols and better training for employees on the importance of data security, emphasizing the need to protect sensitive information, especially when it concerns military personnel and their families.

MCNA Dental

In early 2023, MCNA Dental experienced a significant cybersecurity incident that affected approximately 8.9 million individuals. This data breach, identified as the largest reported healthcare breach of the year, was orchestrated by the LockBit ransomware gang. The cyberattack began with unauthorized access detected on March 6, 2023, although the hackers had been in the network since February 26, 2023. The compromised data included a wide range of sensitive personal and health-related information such as full names, addresses, dates of birth, Social Security numbers, and details related to dental and orthodontic care, including insurance claims and billing information.

The aftermath of the breach saw MCNA Dental taking immediate steps to enhance their cybersecurity measures to prevent future incidents. Despite these efforts, the LockBit group escalated the situation by threatening to publish the stolen data unless they received a $10 million ransom. Ultimately, on April 7, 2023, LockBit followed through on their threat by releasing all the stolen data, which included personal and financial details of MCNA patients and their families, on their website. This put the victims at high risk of identity theft and fraud. In response, MCNA Dental offered affected individuals one year of free identity theft protection and credit monitoring services and took steps to address the security vulnerabilities that had been exploited during the breach.

The American Medical Collection Agency (AMCA)

The American Medical Collection Agency (AMCA) data breach, which occurred between August 1, 2018, and March 30, 2019, was a significant cybersecurity failure impacting over 21 million individuals. This breach was disclosed in June 2019, revealing that unauthorized access had been gained to AMCA’s system for several months. The exposed data encompassed a wide variety of sensitive information from multiple healthcare clients, including major names like Quest Diagnostics and LabCorp. The types of data compromised included patient names, demographic details, Social Security numbers, payment card information, and details of medical tests and diagnostic codes.

The breach had severe repercussions for AMCA, leading to legal actions across multiple states and ultimately pushing the company into bankruptcy. In response to the incident and subsequent legal pressures, AMCA was required to overhaul its data security practices. This included the implementation of a comprehensive information security program, the appointment of a Chief Information Security Officer, and regular security assessments by third-party assessors. These measures were part of a multistate settlement aimed at preventing such failures in the future and ensuring better protection of personal and health information.

Conclusion

The relentless evolution of cyber threats in healthcare underlines the critical need for heightened vigilance and enhanced security measures. As cybercriminals increasingly target the healthcare sector, exploiting its rich repository of sensitive personal and health information, the importance of robust cybersecurity protocols cannot be overstated. 

The highlighted incidents serve as stark reminders of the vulnerabilities that exist and the potential consequences of security lapses. These breaches not only jeopardize patient privacy but also erode trust in healthcare systems, underscoring the necessity for ongoing improvements in cyber defenses. As the healthcare landscape continues to integrate more digital solutions, the commitment to securing patient data must be unwavering, ensuring that security evolves in tandem with technological advancements.