How To | Technology

Protecting Against Cybersecurity Threats

How To | Technology

Protecting Against Cybersecurity Threats

With the increasing sophistication of cyberattacks in health care, hospitals and health systems must make sure they have effective cybersecurity infrastructures to protect themselves and their patients from such attacks.

Cyberattacks continue to threaten health systems’ and hospitals’ security by compromising patient privacy and safety and causing financial damage. Understanding the sources of attacks on cybersecurity can help these organizations protect themselves against this threat.

The increased prevalence and interoperability of electronic health records, connected medical devices, internet of things (IoT) devices, and other connected technologies in health care have benefited patients by allowing for more coordinated care and more engagement with their healthcare providers. However, as the U.S. healthcare system becomes increasingly internet-based, it also will become more vulnerable to cyberattacks—often from unexpected directions.

For example, one hacker gained access to medical records at a hospital by hacking into the food services system. Healthcare data breaches cost, on average, $408 per record—the highest cost among all industries for the eighth straight year, and nearly three times higher than the cross-industry average of $148 per record. Cybersecurity attacks compromise patient safety and privacy, impact a hospital’s reputation and patients’ trust in the hospital, and can potentially cause significant financial damage.

Types of Cybersecurity Attacks

Insider threats are a large part of cybersecurity risks. According to one study, 58 percent of cybersecurity incidents in health care involve individuals employed by the health system. Insider threats can range from accidents (e.g., a lost laptop) and unknowingly clicking on a phishing link to purposefully selling or using personal health information for identity theft.

Ransomware represents another common form of cybersecurity risk. Ransomware is a type of software that cyberattackers use to take over a victim’s computer system and deny the user access to data unless the user pays a ransom, generally using cryptocurrency, to unlock the files. This year, there have been well-publicized ransomware attacks against healthcare organizations, such as Allscripts and LabCorp, with both attacks shutting down systems functionality for a week or more.

The proliferation of IoT devices and their use in health care is growing rapidly, providing hackers more endpoints to target health information. IoT devices can range from the 3.7 million clinical devices that collect and transmit data via online networks to devices like iPads and wearables, which may not be critical to care but have increasing access to patient data. In July, the National Institute of Standards and Technology (NIST) issued a report indicating that clinicians are increasingly bringing their own smartphones and other devices to use at work, which necessitates protection against both privacy violations and cybersecurity vulnerabilities.

The Food and Drug Administration also recently released an action plan for medical device safety to help inform both owners and users of potential vulnerabilities in their devices. The plan may be a helpful resource for hospitals and health systems looking to increase device security.

The increase of mergers and acquisition activity in the healthcare sector is another issue that raises cybersecurity concerns. When two systems merge and interconnect, IT integration challenges invariably arise. Different medical technologies and devices, along with the need to share information between newly-merged organizations, can create new vulnerabilities in systems. 

Improving Cybersecurity Response

With the looming threat of expensive cyber-attacks, hospitals and health systems can face a variety of internal challenges in dealing with cybersecurity as an enterprisewide risk management issue rather than just an IT issue. Preventive planning is the main tool for protecting against cyberattacks in the first place, but some hospitals do not realize their current levels of due diligence put them at risk.

Proper staffing is key to advancing good cyber hygiene, defined as the individual behaviors used to appropriately protect and maintain IT systems and implement cybersecurity best practices. Many chief information officers are frustrated by lack of investment in personnel and infrastructure. Many CEOs and CFOs are reluctant to invest resources in an area with little direct return in the form of increased financial stability. However, cybersecurity investments in the form of hiring, infrastructure development, and crisis planning are critical to protecting delivery systems’ brand, reputation, and financial health.

Other preventive measures that hospitals may consider include training nonsecurity staff on effective cyber hygiene, which comprises a spectrum of habits, including performing effective end-point management (e.g., securing legacy medical devices and software systems), consistently backing up data, securing personal health information at the site of care, and recognizing and reporting phishing emails. Healthcare organizations should take inventory of what cyber hygiene habits they would like to focus on and improve to protect against cyber threats.

Event Response

If a hospital is attacked, its ability to respond effectively can determine the severity, liability, and cost of the breach. In preventive planning, it is critically important to develop and exercise an emergency response plan that outlines policies, processes, and expectations in the event of a cyberattack and that ensures the right staff is in place and armed with the best tools and training to augment their work. A cybersecurity framework created by NIST and a discussion guide developed by the Centers for Disease Control are helpful tools that healthcare organizations can use to evaluate their cybersecurity infrastructure and develop effective response plans. h

Summing Up

As cyberattackers become more inventive and sophisticated, healthcare organizations must ensure that their cybersecurity infrastructures are keeping pace. Proper prevention against attacks requires attention and vigilance, just as responses in the event of an attack may require flexibility. Meaningful investment in cybersecurity will both offer financial returns and build confidence among staff and consumers that their digital protection is a priority.


h. National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Feb. 12, 2014; Centers for Disease Control and Prevention, Healthcare Organization and Hospital Discussion Guide for Cybersecurity, August 2016.

David Lee, JD, is a director at Leavitt Partners LLC, Salt Lake City.

Jenna Jackson is an associate, Leavitt Partners, LLC Salt Lake City.

About the Authors

David Lee
Jenna Jackson

Sign up for a free guest account and get access to five free articles every month.


Related Articles | Technology

News | Capital Sources and Allocation

HFMA’s latest Outlook Survey reflects a healthcare industry on more stable footing: 5 takeaways

Recent feedback from HFMA members signals that healthcare finance and administrative operations have returned to something closer to normal in recent months.

How To | Cost Effectiveness of Health

Cost Effectiveness of Health Report, April 2022

The April 2022 edition of HFMA’s Cost Effectiveness of Health Report includes a preview the May issue of hfm, which focuses on telehealth, a key tool for promoting value-based care CEoH. Another article explores ways to promote health equity in revenue cycle processes, and a case study describes how one health system embarked on an initiative to achieve greater diversity among its revenue cycle staff.

Article | Cost Effectiveness of Health

Telehealth is primed for growth despite post-lockdown fade

If our nation is to achieve true cost effectiveness of health, virtual healthcare must play a pivotal role. In this preview of the May 2022 hfm cover story, two health system leaders share lessons learned from their efforts to develop effective telehealth programs as a key component in their long-term value-focused care strategies, and two thought leaders weigh in on keys to telehealth success.

How To | Cost Effectiveness of Health

Cost Effectiveness of Health Report, March 2022

The March 2022 edition of HFMA’s Cost Effectiveness of Health Report addresses a key prerequisite to achieving cost-effectiveness: engaged caregivers. A preview of the April 2022 hfm cover story details how one health system has responded to its nurses’ need for increased scheduling flexibility, and a commentary explores steps for enabling physicians to play a leadership role in promoting CEoH. Also included is a Q&A exploring activities on the world stage aimed at achieving the United Nation’s sustainable development goals for healthcare and health equity – and how U.S. organizations can play a role.