For many years now, news about cybercrime and its grave impact on individuals, communities, and organizations has become part of mainstream conversations, and for good reason. Massive data breaches and large-scale attacks on countries’ critical infrastructure (CI) regularly make the rounds on news outlets and social media platforms, underscoring the grave impact of cyberattacks on our day-to-day lives.
Unfortunately, as the healthcare sector continues to be more technologically dependent and relies on internet-connected applications and tools, it will continue to be at the crosshairs of cybercriminals who want to get a hold of critical patient information and sensitive data.
Healthcare professionals who regularly handle sensitive patient data must be aware of the various cyberattacks that target healthcare institutions, not just to protect patients’ data privacy, but also, and more importantly, their safety.
In this article, we discuss the most common cyberattacks against the healthcare industry and high-level cybersecurity tips and best practices nurses must adopt to help ensure that healthcare operations remain undisrupted and that patient safety is put at the forefront.
The most common cyberattacks against healthcare organizations
· Ransomware
Ransomware is a type of malicious program that hinders users from gaining access to their systems by encrypting their files. Cybercriminals lock out users from accessing their files and will only grant them access, or a decryption key, if they pay a ransom amount. If a victim doesn’t pay the ransom amount after a set period, they will permanently lose access to their files. Typically, ransomware spreads via phishing emails, malvertising, social engineering, and exploit kits.
Notable attacks:
o In 2019, the Springhill Medical Center experienced a ransomware attack. Because the hospital’s computers were down, healthcare professionals weren’t able to deliver proper patient care to a newborn with severe brain injury. Sadly, the patient passed away.
o In 2024, Ascension, a Catholic health system composed of 140 hospitals, was targeted by a ransomware attack that disrupted access to electronic health records, phones, medications, and procedures.
· Phishing
Phishing uses fraudulent and malicious emails, text messages, phone calls, or websites to lure victims into downloading malware or unwittingly sharing sensitive information such as banking details. To trick victims into clicking on malicious links or exposing private data, cybercriminals pose as trusted entities, such as banks, utility companies, close friends, or family members.
Notable attack:
o In 2014, the largest phishing attack was carried out against Anthem Inc., which resulted in a nation-state actor gaining access to the protected health information (PHI) of 78.8 million individuals. Cybercriminals were able to gain access to Anthem’s system via spear-phishing emails that one employee accessed and responded to.
· Data breaches
Data breaches occur when malicious actors steal critical information or sensitive data — including financial information, customer data, and trade secrets — from a system without an organization knowing about it.
Notable attack:
o In 2015, Premera Blue Cross suffered from a cyberattack that exposed the sensitive personal information of 11 million customers, including financial data, Social Security numbers (SSN), dates of birth, and claims information.
Cybersecurity tips and best practices for healthcare professionals
To remain protected against ever-evolving cyber threats, healthcare professionals can adopt the following cybersecurity tips and best practices:
· Be careful of what you post online. Cybercriminals are always on the prowl for information they could use to send the most believable phishing emails. Oftentimes, they look at victims’ social media profiles to see if they’ve recently posted information about their workplace. They could then use this information to craft believable phishing emails and send malicious links to distribute malware. To be on the safe side, familiarize yourself with your organization’s social media policies. Don’t post about your patients online, as you may unintentionally publish their personally identifiable information (PII).
· Create strong passwords and enable multifactor authentication (MFA). To prevent unauthorized access to your online accounts, you should create strong, hard-to-guess passwords composed of a combination of lowercase and uppercase letters, numbers, and symbols. It’s also important to enable MFA to add an extra layer of verification before gaining access to your accounts.