HIPAA Healthcare Cybersecurity

Healthcare Cybersecurity

An In-depth Look at Cybersecurity in the US Healthcare Industry through Facts and Statistics

Join our newsletter:

Healthcare Cybersecurity Spending and Resources

According to predictions from Cybersecurity Ventures, the healthcare industry is expected to invest over $125 billion in cybersecurity products and services between 2020 and 2025. This represents a growth rate of 15 percent year-over-year during the same period, as reported by the Herjavec Group. However, despite the increasing threat landscape, a staggering 56% of healthcare organizations allocate less than 10% of their IT budget towards cybersecurity, according to HIMSS.One of the major challenges faced by healthcare organizations in addressing cybersecurity issues is acquiring the right talent. Proofpoint reveals that 53% of organizations lack in-house expertise, while 46% struggle with inadequate IT staffing. In addition, 41% of healthcare IT professionals believe that their organizations do not allocate sufficient financial resources to effectively execute their cybersecurity strategy.Furthermore, when examining the most severe security incidents experienced by healthcare organizations, 24% of cases revealed that outdated IT equipment, such as legacy operating systems or unsupported software, served as the initial point of access, according to HIMSS. This outdated technology is also a significant concern for 39% of healthcare cybersecurity professionals. Alarmingly, almost half of these professionals stated that over 10% of their infrastructure is comprised of legacy systems.

Healthcare Phishing Scams

According to reports by the Herjavec Group and HIMSS, phishing scams account for more than 90% of cyberattacks targeting the healthcare sector. A survey conducted among healthcare cybersecurity professionals revealed that 45% of them experienced their most severe data breaches due to phishing attacks. These attacks came in various forms, with general email phishing comprising 71% of incidents, spear-phishing accounting for 67%, voice phishing (vishing) and whaling accounting for 27% each, business email compromise at 23%, SMS phishing at 21%, phishing websites at 20%, social media phishing at 16%, pharming at 3%, and deepfakes at 2%. In a study that simulated phishing campaigns against American healthcare organizations, it was found that nearly 1 in 7 fake phishing emails were clicked on by healthcare employees. Surprisingly, only 16% of healthcare employees consider themselves very well-informed about the risks posed by social engineering cybersecurity threats like phishing, as per KnowBe4. Moreover, 64% of healthcare IT professionals believe that their organizations are susceptible to business email compromise or spoofing phishing attacks, which in turn compromises the quality of patient care for two-thirds (67%) of organizations. It is concerning to note that only 48% of healthcare providers have included protection measures against business email compromise and phishing attacks in their cybersecurity strategies. However, 62% of organizations have incorporated ransomware threats in their cybersecurity strategies, and 41% of healthcare providers conduct phishing attack simulations to educate their staff about cyber risks. Lastly, there was a staggering 220% increase in phishing incidents during the height of the COVID-19 pandemic in 2020, as reported by F5.

Employee Cybersecurity Training and Awareness in Healthcare

A recent report by KnowBe4 revealed that more than 75% of healthcare employees have received cybersecurity awareness training. However, the Journal of Medical Internet Research found that only 37% of hospitals conduct annual cybersecurity incident response exercises. Shockingly, Proofpoint discovered that just over half of organizations, at 51%, have incorporated medical device security into their overall cybersecurity strategy.Further, recent data from Carnegie Mellon highlights that nearly 20% of insiders responsible for data breaches in healthcare organizations were not directly employed by those organizations, but rather worked as contractors or through business partners. This raises concerns about the security of third-party relationships in the healthcare sector.In a troubling finding, Kaspersky revealed that one out of every four healthcare workers in the United States who believed they should have received cybersecurity training were never offered any such training. Moreover, Kaspersky also found that 34% of healthcare employees were unsure if their workplace even had a cybersecurity policy in place.These findings shed light on important cybersecurity gaps within the healthcare industry, suggesting a need for improved training, incident response practices, and consideration of medical device security within overall cybersecurity strategies.

Ransomware in Healthcare

According to recent reports, the number of ransomware attacks targeting healthcare entities has seen a significant increase over the past few years. A study published in JAMA Health Forum revealed that these attacks have doubled from 2016 to 2021. Another study by global cybersecurity company Sophos found that two out of three healthcare facilities experienced a ransomware attack in 2022 alone.The financial impact of these attacks is also worth noting. In 2021, the average ransomware payment in the healthcare industry reached $197,000, which marked a 33% increase compared to the previous year. However, even when the ransom was paid, only an average of 64.8% of the encrypted data was successfully restored.Furthermore, it appears that paying the ransom does not guarantee complete data recovery. Shockingly, only 2% of organizations that made the payment were able to regain access to all of their data. Despite this, a rising number of healthcare organizations, 61% to be exact, reported paying the ransom when targeted by ransomware attacks in 2021, a significant jump from 34% in 2020.The impact of these attacks goes beyond financial losses. A survey conducted by Sophos Healthcare revealed that only 72% of providers were able to recover data by utilizing backups following a ransomware attack. Additionally, it was found that only 47% of healthcare facilities had their ransom payment covered by their cybersecurity insurance policies.The consequences of ransomware attacks extend beyond the healthcare industry itself. A staggering 90% of private sector healthcare organizations reported that such attacks resulted in significant business and revenue losses. The recovery process is also costly, with healthcare providers spending an average of $1.85 million to recover from a ransomware attack.The effects on patient care are also of great concern. Approximately one in four healthcare organizations that experienced a ransomware attack in 2021 reported taking more than a month to recover. This delay in recovery was associated with a range of negative outcomes, including an increase in patient mortality rates, as reported by a survey conducted by Proofpoint. Other side effects included procedure delays (64%) and complications arising from medical procedures (48%).These findings highlight the urgent need for increased cybersecurity measures within the healthcare industry to protect patient data, ensure uninterrupted care, and mitigate financial and operational risks.

An Overview of Healthcare Cybersecurity

According to recent surveys, a concerning number of healthcare organizations are not prioritizing data backup and cybersecurity measures. More than a third of IT and security professionals in the industry admit to not backing up sensitive data. Additionally, only 50% of healthcare organizations regularly conduct cybersecurity audits.Encryption safety controls are also lacking in many organizations, with only 38% having fully implemented them on their data at rest. However, the implementation rate increases to 50% for data in transit.Patient concerns regarding privacy and cybersecurity in telehealth services are also prevalent, with 43% expressing worries in a recent survey.Various reports indicate that hacking and IT incidents are major contributors to healthcare data breaches. Since 2008, hacking/IT incidents have accounted for 47% of reported data breaches in the US healthcare sector. This number has drastically increased over the years, with hacking/IT incidents making up 80% of cases in 2022. Since 2014, hacking/IT incidents have consistently been the leading cause of data breaches in US healthcare organizations.The impact of these breaches is significant, affecting millions of individuals. In 2022 alone, 44 million individuals were affected by hacking/IT data breaches in the healthcare industry, a substantial increase from 900,000 in 2012. Since 2009, hacking/IT breaches in the healthcare sector have impacted a staggering 319 million individuals, almost the entire US population.The average hacking/IT breach involves the compromise of 131,100 records. Several high-profile incidents have highlighted the severity of these breaches, with Anthem Inc., Optum 360, LLC, Premera Blue Cross, Laboratory Corporation of America Holdings, and Excellus Health Plan Inc. experiencing some of the largest healthcare data breaches reported.The value of breached healthcare information is significantly higher than financial data. Medical information can sell for up to $1000 if complete, making it an attractive target for cybercriminals.Cybersecurity attacks against healthcare supply chains have also disrupted patient care, as confirmed by 70% of surveyed healthcare IT professionals. These attacks pose substantial costs, with the most expensive healthcare breach in the United States costing an organization an average of $4.4 million. This cost includes lost productivity due to system downtime, disruption to healthcare operations, damage to IT infrastructure, remediation activities, and mitigating impacts on patient care.Technologies such as the cloud, big data, and the Internet of Things are believed to amplify threats to patient safety and information integrity by 67% of IT professionals. This further highlights the need for robust cybersecurity measures in the healthcare sector.Identity theft is a common consequence of healthcare data breaches, accounting for around 50% of the breaches. Victims of identity theft resulting from healthcare data breaches face an average out-of-pocket cost of $2,500 each.The frequency of cybersecurity attacks is also concerning, with 38% of organizations reporting between 50 and 350 attacks per year. Additionally, 13% of organizations experience more than 350 attacks annually, nearly one per day.Small healthcare providers are particularly vulnerable to cybercriminals as they are perceived to have weaker defenses.


Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.