Data breaches in the healthcare industry are on the rise: What this means for your organization

A recent report by Claroty found that 78% of surveyed healthcare organizations experienced a cybersecurity incident in the last year. 

This is not only a concern for the organizations themselves but also for patients whose personal information may be compromised. Furthermore, over 60% of respondents reported a moderate or substantial impact on care delivery due to a cybersecurity incident. In this blog, we will explore why the healthcare industry is more vulnerable than others in today’s environment and what organizations can do to mitigate these risks.

Why is the healthcare industry more vulnerable?

The healthcare industry is a prime target for cyber-attacks because of the sensitive information they store and transmit. Medical records, insurance information, and financial data are all valuable to cyber-criminals. 

Besides the value of the data, the healthcare industry is vulnerable because of outdated systems, limited budgets, and a lack of expertise. Many healthcare organizations still need to use legacy systems that are compatible with modern security measures.

In addition, budget constraints often leave security measures as an afterthought rather than a priority. Healthcare systems IT budgets typically make up around 6% or less of total budget, indicating cybersecurity’s prioritization (or lack thereof).  

Beyond that, healthcare systems must do their due diligence on any third parties and supply chain partners they work with. A 2021 Bluevoyant study reported that 93% of enterprise companies suffered a breach due to a supply chain or third-party vendor—with Healthcare reported to experience the largest proportion of third-party beaches. 

Everything you need to know about the HIPAA Minimum Necessary Rule

Oro provides content designed to educate and help audiences on their compliance journey. The HIPAA Minimum Necessary Rule, a subsection of the overarching Privacy Rule, mandates…

Read More

This begs the question: What can healthcare and their HealthTech vendors do to mitigate the occurrence and impact of these data breaches?

How can data breaches impact healthcare organizations?

Data breaches can have significant financial and reputational consequences for healthcare organizations. Data breaches can result in penalties and fines from regulatory bodies, and patients will likely lose confidence in an organization that a cybersecurity incident has impacted. 

A data breach can also impact service delivery, depending on how long it takes to contain the breach, resulting in loss of revenue and increased spending on mitigation and recovery efforts.

Let’s look at a couple of examples to get a sense of the potential scale of third-party data breaches in the healthcare industry.

Mom’s Meals: 1.2 M individuals affected

Mom’s Meals is a meal delivery service for people with chronic health conditions. In April 2023, it announced a data breach affecting more than 1.2 million customers. Data, including personal and protected health information (PHI), was made vulnerable in an attached late Jan / early Feb 2023.  

The data breach also impacted the company’s current and former employees as well as independent contractors.

Eyecare Leaders: 2 M individuals affected 

Eyecare Leaders (ELC) is an ophthalmology-specific EMR software. In 2022, a ransomware attacker obtained access to its database containing data such as patient names, phone numbers, addresses, emails, gender, birth dates, driver’s license numbers, health insurance information, appointment information, medical record numbers, Social Security numbers, and medical information relating to ophthalmology services.

The ELC breach affects countless healthcare organizations, affecting over 2 million patients.

What can healthcare and HealthTech organizations do to mitigate risks?

Healthcare and HealthTech organizations must adopt a proactive approach to cybersecurity. Investing in modern security measures, such as firewalls, intrusion detection, and data encryption, is a priority. 

Regular security audits and vulnerability assessments should be conducted to identify gaps in the security system. Regarding cybersecurity, respondents of the Claroty poll reported NIST and HITRUST as the most important security standards in a global crisis.

Spoiler alert: If your organization can’t dedicate an internal resource to ongoing monitoring and maintenance, solutions like Thoropass can help!

HealthTech organizations can also provide regular cybersecurity training to staff, emphasizing the importance of adhering to security protocols and identifying potential phishing attacks.

Role of HealthTech leaders 

HealthTech leaders must be proactive in addressing cybersecurity risks. They must be familiar with the latest security trends and invest in cybersecurity measures. Hear more from Thoropass’s resident HITRUST expert, Zach Rutz.

HealthTech leaders should also collaborate with healthcare organizations to identify potential vulnerabilities in systems and provide solutions. HealthTech leaders must prioritize cybersecurity throughout the product development lifecycle, integrating security measures into the product from Day 1.

Summing it up

Data breaches in the healthcare industry are a growing concern. The loss of valuable data, financial impact, and reputational damage that result from cybersecurity incidents can impact the delivery of healthcare services, leaving patients vulnerable. 

Healthcare and HealthTech organizations must invest in modern security measures, including dedicating resources to ensure ongoing monitoring and maintenance. While having plans in place should something go wrong, proactivity is the name of the game. The best approach for preparing for a data breach is to prevent it from happening in the first place. The bad actors will only get smarter and more aggressive, so it’s essential to be prepared.

RECOMMENDED FOR YOU

Which framework(s) are best for your HealthTech business?

Find your best multi-framework mix and the fastest path to acheive them.

Learn more

This post was written with help from AI, but all original thoughts and advice are those of the author. This post has also been peer-reviewed by in-house experts with the knowledge skills, and expertise to corroborate its accuracy.