Image: iStockphoto/Suebsiri

Any type of organization is vulnerable to cyberattack. But hospitals and healthcare facilities are especially tempting targets for cybercriminals. Patient records are valuable commodities on the Dark Web. Plus, the coronavirus pandemic has opened the door to new attack routes with more testing centers, additional labs, and many medical staffers working from home.

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened (cover story PDF) (TechRepublic)

A new study from security consulting firm CI Security tracks the rise and fall (and potential rise again) of cyberattacks against hospitals, and offers advice on how they can shore up their security. Published on Thursday, “The Healthcare Data Breach Report” specifically looks at data breaches reported by healthcare organizations from January through June 2020.

First half of 2020

For the first six months of the year, data breaches involving the protected health information (PHI) of patients dropped dramatically, according to CI Security’s review of data sent to the US Department of Health and Human Services (HHS). During this period, the number of breaches dropped by 10.4% compared with the second half of 2019, while the actual number of reported breached records plunged by almost 83%.

Looking at the numbers, 3.8 million patient records were breached through hacking and IT incidents in the first half of 2020, compared with 30 million records over the prior six-month period. That 30 million number includes two major incidents that compromised 22 million records alone. But even removing those two breaches would leave the number at around 8.3 million.

Going back further, a total of 8.3 million records were breached through hacking and IT incidents in the first half of 2019, while 7.4 million were breached in the second half of 2018. So the 3.8 million reported in the first half of 2020 marked a low point, at least in recent years.

Hacking accounted for most of the records breached during the first half of 2020. But CI Security found an increase in the improper disposal of records, mostly due to a single incident involving 550,000 records. The analysis also discovered a jump in the number of records lost from theft, most of which were obtained due to a single stolen laptop that exposed 654,000 records.

Image: CI Security

CI Security attributed this year’s sharp decline to some type of combination of five different factors:

  1. Healthcare organizations have continued to improve their cybersecurity programs.
  2. Some healthcare organizations misunderstood the HHS exceptions issued during the pandemic, leading them to believe they had a coronavirus-related extension beyond the required 60-day window.
  3. Healthcare organizations were simply too busy to report data breaches.
  4. Some healthcare organizations were hopeful that cybercrime groups, which promised to “go easy” on healthcare during the pandemic, would keep their word. But a number of reports on phishing campaigns and other attacks from cybercrime gangs and nation-states show that they actually took advantage of stressed healthcare facilities during the first half of the year.
  5. Some healthcare organizations have been so distracted by the pandemic and associated emergency operations that they have been breached but don’t yet know it. This is the most ominous explanation, but seems plausible given that the average time it takes for healthcare organizations to spot a breach is 329 days, according to IBM’s 2020 “Cost of a Data Breach” report.

Second half of 2020

The decline in breaches against hospitals is not expected to last, according to CI Security, which expects cyberattacks to surge over the next six months. The firm based its dour forecast on two factors.

First, hospital records still represent a valuable target for hackers. While a credit card might sell for $100 on the Dark Web, a patient’s medical records could go as high as $1,000.

Second, COVID-19 has triggered a variety of new attack vectors. More employees are working from home. Previously retired personnel and temporary workers were brought on staff to help with the workload. Telemedicine capabilities have increased. Drive-through testing and other locations have been added. New equipment and connections to new suppliers have been set up. Plus, new coronavirus-related requirements were put into effect for sharing patient data. As a result, there are now a lot more areas vulnerable to security threats.

Lessons learned

Analyzing the methods used by healthcare organizations to prevent data breaches, especially during the pandemic, CI Security noted three distinct factors:

Flexibility. Organizations that performed best built structures that flexed but didn’t break under the pressure of the pandemic. From their ability to quickly add capacity supporting WFH (Work from Home) to telemedicine expansion to quick facility adjustments (including designating entire facilities for COVID-19 patients), those built to change quickly and securely were most able to stay ahead of evolving demands.

Perspective. Organizations that conducted regular and more intense disaster preparedness, incident response, and system outage exercises did better than those that didn’t. With those efforts, well-practiced organizations didn’t panic. They created command centers staffed with experienced leaders who anticipated challenges, resulting in better decision making, which drove organizations in the right direction as opposed to becoming a victim of the pandemic and associated cyberattacks.

Communication. In the heat of any crisis, communication and collaboration are everything. The most successful organizations opened all channels, were painfully transparent, and were willing to adjust the speed and direction of change to avoid problems. Organizations with regular communication had teams that were more focused, less distracted by the rumor mill, and more sensitive to front-line challenges.


As data breaches against hospitals and healthcare facilities persist, what measures can organizations take to protect themselves? CI Security offers the following advice:

Put your Security Operations Center (SOC) into overdrive. Make sure you’re on top of the team’s monitoring and detection efforts. If you assume you’ve been breached all the time, you’ll create a culture that’s driven to detect and respond quickly to cyberattacks, limiting the damage, and quickly returning operations to normal. If you don’t have a 24/7/365 SOC monitoring your network, find a partner that can fill this gap.

Practice good cyber hygiene. If you had a strong cybersecurity program in place before the pandemic but got sidetracked, return to your governance and risk rules for equipment, staff, vendors, and applications ASAP. It might feel like red tape, but security and privacy discipline lowers your risk for a cyber incident. If you have to short cut processes, be sure to record all noncompliant variances in detail, then initiate, track, and report on those remediation projects.

Add a project manager to the security team. Most health systems have paused major projects, and so any idle project managers could be great additions to a security team. Project managers can track variances (“shortcuts” you may have taken in an emergency) and nag the team to stay focused on remediation. They can also work with business and clinical partners, drive user education, review new requests, and act as administrators for certain applications.

Communicate, communicate, communicate. Continue to teach end-users about dealing with the wave of tempting phishing emails they regularly see. Help your remote teammates with work-from-home best practices, including changing network passwords, not using personal computing equipment for work, and making sure all software is updated and patched. Double-check processes in place for financial account transfers of any kind.