As of Monday, healthcare providers had already reported more than 330 data breaches to HHS’ civil rights office this year. The number of patients affected by these breaches in 2023 is nearly 41.5 million, a number rapidly approaching 52 million people— the total reported for the entirety of last year.
Just this month, HCA Healthcare — the largest for-profit health system in the country — suffered a data breach that impacted 1,038 hospitals and physician clinics across 20 states. To prevent the proliferation of data security incidents like this, healthcare organizations must examine their use of legacy systems as well as their reliance on third parties, according to a report released Thursday by cybersecurity firm Trustwave.
“The healthcare industry is characterized by highly specific challenges — like heavy usage of custom applications, numerous third parties and an unwavering commitment to patient care — that give rise to a unique cybersecurity risk profile,” said Karl Sigler, senior security research manager at Trustwave, in a recent interview.
He added that the nature of health-related data makes it highly valuable and attractive to cybercriminals. They exploit this information by selling it in underground markets or using it to extort money out of patients and providers, he said.
The report pointed out that many providers continue to use legacy systems that are no longer supported by vendors or are hard to patch and update, such as outdated IT systems or medical devices that rely on old versions of software. Since these systems pose heightened vulnerability to cyberattacks, healthcare organizations should adopt additional safeguards, Sigler declared.
“It’s a double-edged sword because while healthcare providers should always prioritize patient safety and avoiding unexpected disruptions, it’s those same factors that lead healthcare organizations to be more cautious about adopting software patches or making changes that may be vital from a cybersecurity standpoint,” he explained.
The Trustwave team tracked how long it takes its healthcare clients to remedy issues reported to them after a cybersecurity assessment, and it found that it takes them two months to do so, Sigler said. This lag exposes a security lapse that hackers “will always take the opportunity to exploit,” he noted.
This problem is especially prevalent among medical devices and hardware. Medical device hardware typically remains active for 10-30 years, but providers don’t always remember that they need to update the software used in these devices every couple months or so, Sigler said.
Third-party reliance is also a major concern that healthcare organizations need to probe. It’s incredibly common for providers to do business with numerous third parties, but it does create an increased attack surface, Sigler pointed out.
“Unfortunately, cybercriminals often target these third parties as a strategic maneuver — if they successfully breach a third-party vendor, they gain access to some or all of that third-party vendor’s customer base. This poses a significant threat to healthcare organizations since many of these vendors lack robust cybersecurity measures and data breach protection,” he explained.
Working with third parties is usually unavoidable for providers, so Sigler recommended they investigate their partners’ cybersecurity measures more closely. He said healthcare organizations fail to assess their external vendors’ data security protections “far too often.”
Taking a closer look into third-party partnerships and the use of legacy systems not only yields benefits in safeguarding patients’ privacy, but also proves important for keeping costs down — the report revealed that the average cost of a healthcare data breach is $10.1 million.
Given the sensitive nature of healthcare data and the stringent regulatory obligations to which providers must adhere, the financial repercussions of a data breach within the healthcare industry “far surpasses” those faced by other sectors, Sigler declared.
“Healthcare faces much stricter regulations like HIPAA that require them to not only protect personal health information, but also report data breaches to clients as well as the government. The added strain of those processes and the resulting fines add to the overall cost,” he said.
Cyberattacks also sometimes cause downtime at hospitals, leading to even more money loss, Sigler pointed out. Scripps Health’s 2021 data breach is an example of this — the San Diego-based health system not only paid $3.5 million to the victims of the breach, but it also reported a $113 million revenue loss due to a month-long system outage.
Photo: da-kuk, Getty Images