- The healthcare industry is “cyber poor” and the most targeted sector for data breaches over the past four years, according to a Moody’s Investors Service report from this week.
- Moody’s said healthcare’s vulnerable state makes it “target rich,” which could bring service disruptions and personal data disclosures.
- Nonprofit healthcare organizations received a “very high risk” rating, while corporate healthcare was deemed “high risk.” Providers must ramp up investment in cybersecurity to protect patient data and avoid interruption of critical operations, the report said.
The report shows that the healthcare industry is more vulnerable to data breaches than other industries. Federal records indicate that healthcare breaches have exposed 385 million patient records from 2010 to 2022.
Cyber criminals target healthcare because it is a data-rich industry with weaker mitigation. The COVID-19 pandemic worsened the healthcare sector’s vulnerability with staff resignations and burnout plaguing the industry, the report said.
In addition, 89% of healthcare providers suffered a cyberattack over a 12-month time frame, according to a 2022 survey by Proofpoint and the Ponemon Institute.
The Moody’s report highlights several recent attacks in healthcare. In February, Florida-based Tallahassee Memorial Healthcare was forced to divert some emergency patients to other hospitals and cancel all nonemergency surgeries due to a cyberattack. In January, the pro-Russia group Killnet targeted hospitals in 25 U.S. states with a series of denial-of-service attacks, leaving hospitals offline for hours.
Meanwhile, the Lockbit group attacked Illinois-based CommonSpirit Health with ransomware, costing the health system about $150 million. The data breach compromised protected health information of close to 624,000 people in late 2022.
Moody’s partner BitSight Technologies said half of nonprofit hospitals and 40% of corporate healthcare organizations had “unwanted, potential harmful” software on their corporate IT networks. Third-party software leaves healthcare organizations vulnerable to ransomware and breaches and can interrupt critical medical operations.
“Unwanted programs are indicative of an organization’s lack of fundamental device protection capabilities,” the Moody’s report stated. “They can be used as a way to infiltrate the corporate network, and steal information or run malicious software.”
Healthcare stakeholders must take steps to practice good governance and maintain transparency when breaches occur. The report recommends that providers ramp up cybersecurity investment.
“Given the continuing high level of cyber risk in the sector, hospitals and healthcare providers around the world will face a growing need over the next few years to increase investment in their cyber defenses in order to protect patient data and ensure continuity of critical operations,” the report stated.
However, labor shortages, COVID-19 surges and supply chain disruptions will bring challenges for hospitals as they allocate funds for cybersecurity.