Why Healthcare Gets Hit Hardest With Cyberattacks

Our health data is some of the most confidential information we have, and the systems that most healthcare companies use to protect it from cybercrooks are somewhat sickly.

Thanks to a toxic mix of aging hardware, outdated software and shoestring operating budgets, they’re increasingly susceptible to cybercriminals who are not only lured by a gold mine of data but also armed with state-of-the-art hacking tools, experts told The Daily Upside, leading to some of the largest data breaches in history. And the risks extend far beyond lost data and eye-popping ransom payments. 

“There’s really a direct danger to patient care and life,” says Rob Hughes, chief information security officer at security firm RSA. “That’s as serious as you can get. It’s a different type of pressure.” 

Patchwork Measures 

Statistics back him up: Last year was a landmark for healthcare data breaches. According to HIPAA Journal, there were 14 attacks involving the records of 1 million or more patients in 2024, exposing the records of more than 237 million individuals altogether. The biggest healthcare breach in history occurred only two months into the year, when ransomware attackers stole the data of 190 million people from Change Healthcare in February. 

“There are a lot of vulnerabilities that healthcare organizations don’t even realize they have,” said Alpesh Shah, vice president of security strategic alliance at Myriad360. “Every individual who is touching a smart device is vulnerable to bring some sort of threat to the organization.” 

The technological advances that have revolutionized healthcare over the past 50 years have simultaneously ramped up cybersecurity risks exponentially. The amount of personal information collected at healthcare facilities is mountainous, with every machine collecting bits of data on patient health at a constant rate. 

Many of the technologically complex devices used daily or even hourly are operating on outdated software, Hughes said, a combination that leaves medical centers riddled with vulnerabilities. 

For instance? A big MRI machine that still makes a nice MRI image but runs “an old version of Windows that can’t accept patches anymore,” he said. 

Exacerbating the problem are security measures that often involve a patchwork of systems inexpertly quilted together, said Gary Salman, CEO of Black Talon Security. Healthcare organizations often use security solutions from multiple vendors, which can lead to a lack of standardization or centralization, he said. 

While this puts them in a “feel-good position,” the mishmash of products may not always cover the ground that it should while creating both unnecessary complexity and a glut of data. “How do you triangulate all of this, especially in medium- and large-size healthcare organizations?” he asked.  

At a more strategic level, few shareholders and healthcare practitioners prioritize cybersecurity budgets, focusing instead on delivering patient care. Smaller regional and rural healthcare facilities are often living below the “cybersecurity poverty line,” he said. “Security is going to come second.”

Plus, talented cybersecurity professionals have become increasingly sought after and expensive. And because of healthcare’s limited budgets for technology, it doesn’t always get the best cybersecurity talent, said Shankar Somasundaram, founder and CEO of Asimily. 

“Healthcare may not always be able to pay the same amount,” said Somasundaram. “Strong talent would go to another vertical, where they’re getting paid more.” 

‘Pot of Gold’

While formidable to healthcare executives, the tangled web of cybersecurity challenges merely sweetens the pot for hackers who, according to Salman, view healthcare data as a “pot of gold.” The information is highly sensitive, incredibly personal and usually deeply detailed. Plus, organizations are collecting massive amounts at a constant rate, he said. “Any size healthcare organization that has anywhere from thousands to millions of patient records – the risk is high,” Salman said. 

Selling such data to brokers through underground channels is also far more lucrative than pushing other types of data, Somasundaram added. When hackers sell credit card information, “they have to collect 50 credit cards to make a single dollar,” he said. “They can sell a healthcare record for tens of dollars each.” 

Because of the sensitivity of health data – and the fact that these records generally can’t be wiped or changed the way a credit card or phone number can – healthcare organizations will often pay up when hit with ransomware attacks, said Salman. 

“Imagine having a human being’s complete demographic profile. That data could be sold to pharmaceutical companies,” said Shah. “Thieves will go where the money is. And data is the new money.” 

Data loss is only the beginning of the problem, added Hughes. Cyberattacks can completely shut down healthcare facilities, forcing patients to seek care elsewhere, he said. In extreme cases, cyberattacks on healthcare organizations have been linked to fatalities, such as the 2019 attack on a hospital in Alabama that led to the death of a newborn. 

“There is a state of mind that hackers are moral,” said Itay Glick, director of product at security firm OPSWAT. “We need to understand that not all the attack groups share the same ethical standards that we think they should.” 

Despite the growing risks, healthcare organizations all too often simply react to attacks rather than working to prevent them, said Salman. Along with putting patients at risk, the strategy ends up costing organizations a far larger sum than they would have paid to establish adequate cyber defenses.

Mentality Shift 

While change often happens slowly, there are a variety of steps healthcare organizations can take to make themselves less attractive targets. 

Some are simpler, such as consistent security patching, strengthening credentials and providing cybersecurity education to staff, said Hughes. Vulnerability and penetration-testing can also help organizations identify their biggest pitfalls, said Glick. 

Backup Plan: Backing up data, meanwhile, is vital for healthcare organizations, Glick added. Since a major part of ransomware attacks is “winning your data back,” having a backup stored can allow an organization to quickly recover, he said. 

The most important fix, however, is making cybersecurity a priority, especially among leadership and stakeholders. Change and awareness have to come from the top, said Somasundaram. Rather than viewing cybersecurity as an additional cost, corporate decision-makers should treat it as a vital necessity. 

“In any industry which prides itself on patient outcomes and patient wellness and improvement, they see cybersecurity as a cost, not an outcome-based thing,” Somasundaram said. “But if they could see the tie between cybersecurity and patient impact or lives, then I do believe they’d invest.”