Cybersecurity has become a leading concern of the healthcare industry with ransomware attacks causing catastrophic disruption to the sector globally. In 2020, 81% of UK healthcare organisations detected attempted ransomware attacks and by 2023 these attacks were nearly four times higher than the global average. According to a new report by KnowBe4s, the majority of cyberattacks, between 79% and 91%, begin with a phishing or social engineering attempt, which allows criminals access to accounts or servers. As a result, healthcare and pharmaceutical organisations have become some of the most vulnerable to phishing attacks – according to the latest phishing by industry benchmarking report, employees in the sector have a 51% likelihood of falling victim to a phishing email.
The reason for a surge in cyberattacks on the healthcare sector
There are three key reasons why cybercriminals have focused their attention on the healthcare industry:
Sensitive data: Hospitals and other medical organisations contain a high volume of sensitive patient details including patient records and personal notes regarding anything from demographic information to medicinal care. They also store financial and insurance information on a database which is clearly extremely sensitive. Statistically, healthcare organisations secure 22% more data than the global average and the industry saw its database grow by 27% in 2023 alone. With this amount of highly sensitive information stored on healthcare systems, it is no wonder that cyber criminals are targeting the industry in record numbers. With this amount of highly sensitive information stored on healthcare systems, it is no wonder that criminals are targeting the industry in record numbers.
Digital transformation: Furthermore, there have been dramatic advances in digital solutions within the healthcare industry which has helped to reduce costs and increase efficiency. However, these advances have come without equal investment in cybersecurity. This can be seen throughout healthcare organisations around the world but is especially true in smaller hospitals and practices where staff have reduced know-how or funding making them more vulnerable and susceptible to cyberattacks.
The rise of connectivity: Threat actors have also been able to prey on the interconnectedness of the healthcare industry. Hospitals share large amounts of information between organisations, making them one of the most connected organisations in the world. There is a constant flow of information including appointments, results and doctors’ notes moving between patient portals, smartphones, computers and more. Interconnectedness can increase the efficiency of healthcare organisations, but it is a double-edged sword that can result in even more detrimental data breaches if inadequate cybersecurity defences are in place or security best practises are not being followed.
The consequences of cyberattacks on employees, patients, and the sector
The consequences of these increased attacks can be seen throughout the healthcare industry because the combination of modest cybersecurity budgets and large volumes of personal data places the sector in a vulnerable position. Financially, healthcare organisations aren’t able to invest in stronger cybersecurity measures and are also left with no choice but to pay large sums to ransomware groups due to the sensitive data that is stolen. The average cost of a breach in the healthcare sector is nearly $11 million, more than three times the global average. This financial burden is catastrophic for an industry where every penny counts.
There has also been a terrible impact on patients as cyberattacks have resulted in disruptions to appointments across all sectors. In 2024 alone, there have been several cases of healthcare organisations cancelling appointments as well as suspending appointment scheduling. Disruption from cyberattacks may have contributed to the deaths of anywhere from 42 to 67 patients between 2016 and 2021, showing the tragic results these attacks can have on innocent patients of healthcare organisations.
Steps the healthcare sector can take to improve the overall security awareness to reduce the risk of common attacks
With lives at stake and increasingly large sums of money handed to attackers, it is vital that healthcare organisations develop plans and take action to reduce the likelihood of being attacked in the future. It is clear that investment in cybersecurity, and raising security awareness across the workforce, is essential to both increase the difficulty of cyberattacks and deter attackers in the future. This needs to be throughout the entire industry, building a stronger IT security team as well as investing in modern defence systems.
With this in mind, it is also vital to implement proactive measures such as multi-factor authentication that can instantly reduce an attacker’s chance of gaining access to accounts. It is also important to invest in comprehensive training for staff as this is something that has been largely ignored up to this point. In Europe, a worrying 60% of non-IT healthcare staff have not received security awareness training in 2023, resulting in several successful cyberattacks. However, the positive news is that one year of integrated cybersecurity awareness training results in phishing-prone percentages dropping dramatically to just over 5% for healthcare and pharmaceutical organisations. This clearly shows that providing staff with cybersecurity awareness training can massively reduce the threat caused by ransomware groups and provide respite for the healthcare industry.
Coordinated efforts needed urgently to combat cyberattacks in healthcare
While the challenges faced by the healthcare industry in combating cyberattacks are significant, the solutions, though seemingly simple, require coordinated efforts and substantial investment. Implementing cybersecurity measures and comprehensive security awareness training is imperative for safeguarding patient data and ensuring the continued reliability of healthcare services. Without urgent action, the escalating cost and frequency of cyberattacks will continue to undermine the sector’s ability to provide essential care, making it clear that change is not just necessary, but critical for the future of healthcare.
By Javvad Malik, lead security awareness advocate at KnowBe4
