Ransomware attacks on healthcare organizations continue to soar. According to IT Governance USA, the healthcare sector reported 280 cyber incidents as of June 2024. At the halfway point of 2024, that figure represented 24% of all United States cyber events. Healthcare providers face increasing pressure to secure each patient’s protected health information (PHI) data while minimizing disruptions.
Healthcare organizations attracting the interest of cyber criminals is not new. This sector has always been a target, and that bullseye grew during the Covid-19 pandemic. During this time, the industry rapidly digitized operations as part of the shift to remote care in what seemed like the blink of an eye — according to EY research, 43.5% of Medicare primary care visits in April 2020 were via telemedicine versus 1% two months prior.
This digital pivot, however, came with unforeseen risks. For example, connected devices have dramatically expanded the attack surface and introduced potential new points of entry for cybercriminals who are on the hunt for electronic health records (EHRs). CNBC recently reported that EHRs are selling for $60 on the dark web. Compare that to Social Security details that sell for $15 and credit information that fetches $3, and it’s easy to see why healthcare organizations are popular targets.
Add to this the fact that these organizations face literal life-or-death consequences, which have increased the likelihood of hefty ransom payouts. This helps explain why healthcare is consistently one of the more impacted industries when it comes to ransomware attacks.
Healthcare incidents and claims
Today, the number of insurance claims from healthcare cyber incidents is in line with industry averages. Where things differ is with the frequency of “vendor breach” and “third-party ransomware” claims. For healthcare, these figures are notably higher, which is likely due to the sector’s regulatory requirements to report PHI breaches.
For example, if a hospital outsources MRI services to a third-party vendor and that vendor experiences a breach, the hospital, as the covered entity under HIPAA, must inform affected patients, which results in costs that are submitted as a cyber claim. Since ransomware typically involves data access and theft, third-party ransomware claims follow similar patterns.
Taking action
Recognizing its vulnerability to cybercrime, the healthcare industry continues to prioritize cybersecurity. Areas where organizations should be focusing their efforts include:
Cyber hygiene – While the industry talks a lot about increased investment in cybersecurity solutions, organizations cannot afford to overlook the need to improve cyber hygiene and, more specifically, employee training in cyber awareness. For anyone wondering why employee training is such a high priority, consider this research from Verizon: According to a 2024 study by Stanford University and Tessian, 88% of data breaches are caused by employee mistakes.
One common option businesses can leverage to help curb these errors is a security awareness training program. These programs are designed to give healthcare professionals the knowledge and skills to identify and respond to cybersecurity threats, which can include anything from phishing campaigns to more complex AI-powered social engineering attacks.
Cyber resilience – Healthcare organizations should also focus on resilience. This means investing in comprehensive security controls (multifactor authentication, endpoint detection, and response) and effective backup systems to minimize the impact of an attack and reduce their dependency on paying ransoms.
Third-party risk management (TPRM) – Most healthcare organizations work with third parties, and it’s likely many of these businesses lack the same levels of cybersecurity investments. Research from Security Scorecard reports that healthcare has the highest volume of third-party breaches than all other industries. According to the research, “35% of all reported healthcare data breaches occurred at third-party vendors.”
This is why TPRM programs are vital. A solid program will not eliminate all risks but it will help your organization assess and identify risks associated with third-party vendors so a plan is in place before a critical partner is breached. Begin by establishing a framework that clearly states how the business identifies third parties and how risks are assessed, monitored, and managed. Once complete, work with employees to ensure they understand the many risks that come when working with third parties and the key elements included in the TPRM plan.
Next, review each vendor’s attestations to assess their current security investments and confirm they are sufficient and in compliance with all relevant industry regulations. To help ensure your team is asking the right questions, check out this Vendor Supply Chain Risk Management (SCRM) Template from the Cybersecurity and Infrastructure Security Agency (CISA). From there, be sure you have an incident response plan in place that includes cyber insurance.
Looking ahead
Ransomware attacks have become more frequent and sophisticated. As a result, healthcare organizations must remain on guard, continually assessing and advancing their security protocols and resilience measures. The shift to digital operations and interconnected devices has improved patient care, but it has also made cybersecurity a vital component of healthcare delivery. To protect patient information, maintain continuous service, and safeguard against financial and reputational damage, healthcare entities must balance immediate defenses with proactive, long-term security strategies that extend to third-party vendors. Through these combined efforts, the healthcare sector can move closer to a more sustainable defense against cyber threats while ensuring each organization is prepared for the ongoing challenges that lie ahead.
Photo: boonchai wedmakawand, Getty Images
Lauren Winchester is the Head of Cyber Risk Services at Travelers. Cyber Risk Services is responsible for policyholder cyber services and experience at Travelers. We combine excellent customer service, expertise, and vendor relationships with vulnerability scanning and threat intelligence to create a proactive, tailored, and scalable cyber risk management experience. Lauren has spent the past decade in cyber insurance, and she began her career as a practicing attorney at an Am Law 100 firm, focusing on litigation and data privacy.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.
