Out of every industry, healthcare has had a particularly bad year in 2024, with cyber attacks happening across hospitals and healthcare settings all over America. A month ago, Change Healthcare finally put a number to how many people were affected by the February cyber attack on their systems: approximately 100 million. For context, that’s the personal details, from names to addresses to government identification documents, of about a third of the entire population of the United States permanently stolen.
Although the Change Healthcare hack is the largest of its kind, it’s certainly not an outlier. Over the last couple of years, healthcare has become a top target for cyber criminals looking for valuable private data, such as patient names and addresses, Social Security numbers, and medical information. In fact, according to the HHS Office for Civil Rights (OCR), cyber breaches in the healthcare industry increased by 93% between 2018 and 2022. Technological advancements have shaped the face of modern medicine, from the electronization of health records to the use of AI in breast cancer detection, to the ability to study online RN to NP programs. These changes in the way we record and treat healthcare problems have led to more efficient and more effective systems, ultimately saving human lives, but with positive innovation comes a new set of challenges—in this case, the increased rise of cyber attacks.
Why healthcare?
It might seem a little strange that hackers would want to target healthcare providers. When we think of cyber attacks on different industries, we typically think of scammers looking to break into financial institutions such as banks, or government strongholds like the FBI or CIA.
However, healthcare really does provide the perfect storm of converging factors that make it extremely appealing for hackers. Healthcare providers hold and process huge amounts of extremely sensitive information about citizens—information that can be manipulated and used by foreign forces for things like identity theft or political manipulation. Providing healthcare also usually involves engaging numerous partners or third-party vendors at different stages, creating complex ecosystems that form more opportunities for exploitation, as opposed to a more simple company-consumer relationship like one you might see in B2B or retail.
On the other hand, because they aren’t (or, at least, weren’t) obvious targets, and are typically huge organizations that require time to process and undergo change, healthcare organizers may not have the strongest security as compared to financial institutions or other more obvious targets. For example, the Change Healthcare hack occurred because hackers were able to exploit the lack of Multi-Factor Authentication (MFA)—a form of authentication that requires users to not only have the right password, but also a device on hand that they then use to verify their log-in attempt. Using a set of stolen credentials, hackers were able to log in to the Change Healthcare remote work portal and from there, access the private details of patients and extract the information. Although MFA is now relatively standard practice across tech and healthcare companies, the fact that Change Healthcare, which is owned by UnitedHealth Group (the US’ most valuable health insurance company) did not implement a basic security measure like MFA for is likely to be investigated and questioned, and may prompt other healthcare organizations to review and improve their data security.
What can healthcare organizations do to protect against cyber attacks?
With the increased number of cyber attacks, many healthcare organizations will be taking steps to increase their security and reduce opportunities for hackers to break into their systems. This might involve things like bringing in third-party companies to review or manage their data security, or joining specialized groups like Health-ISAC that provide resources and training to support healthcare organizations protect against cyber attacks.
Healthcare organizations must also be careful with introducing the appropriate security measures when considering or implementing new technologies. For example, the COVID pandemic forced the acceleration of the uptake of remote working, and many healthcare workers that started working remotely during the pandemic as an initially temporary measure have remained in that style of work even after the effects of the pandemic have mostly abated. However, as the hacking of the Change Healthcare remote work portal shows, companies also have to ensure that when implementing new technology or other things that affect ways of working, they also research and deploy the appropriate security protocols. With the development of AI, we can only begin to imagine the different kinds of technologies that will be emerging in the next few years—and with this, the emerging opportunities for malicious hackers to exploit new vulnerabilities. Consulting with experts or joining communities of professionals interested in the cyber security of health data will help healthcare organizations stay updated and protected.
At the end of the day, it’s imperative that healthcare providers and organizations take active and informed steps to protect themselves, their workers, and the patients for whom they are responsible, lest they find themselves next on the chopping (key)board.