Underestimated cybersecurity risks

High-profile attacks, ransomware outbreaks, phishing campaigns, and large-scale data breaches, dominate headlines and shape the cybersecurity strategies of businesses worldwide. However, while organizations remain alert to the most publicized threats, they often overlook less conspicuous yet equally dangerous vulnerabilities. These underestimated cybersecurity risks, when neglected, can quietly erode a company’s security posture, making it ripe for exploitation.

Insider threats

When people think about cybersecurity, they often imagine shadowy figures in foreign countries launching attacks. But sometimes, the most damaging threats come from within the organization.

Insider threats can be malicious, such as disgruntled employees stealing data, or accidental, such as someone unintentionally emailing confidential files to the wrong recipient. Both types are dangerous.

Example: ​A recent insider threat occurred at Mass General Brigham, a prominent U.S. healthcare system. In April 2024, the organization discovered that two employees had facilitated unauthorized access to patient data over more than a year, from February 26, 2023, to April 2, 2024. The compromised information included patients’ names, addresses, medical record numbers, birthdates, email addresses, phone numbers, health insurance policy numbers, and clinical records, such as visit details and diagnoses. Both employees were terminated following the discovery.

Go deeper: Mass General Brigham fires two employees after patient data breach

Mitigation tips:

• Enforce strict access control policies.
• Regularly audit user permissions.
• Implement user behavior analytics to detect unusual activity.

Shadow IT

Shadow IT refers to the use of software, apps, and devices without the knowledge or approval of the IT department. Employees may use personal tools to make their jobs easier, but in doing so, they bypass security protocols.

Example: ​A pertinent example illustrating how employees' use of personal tools can bypass security protocols is the 2022 incident at John Muir Health in Walnut Creek, California. An employee created a website intended to facilitate discussions among staff about medical device usage. However, in the process, the employee inadvertently included links to spreadsheets containing confidential patient information. This oversight led to the potential exposure of sensitive data, stressing the risks associated with using personal tools or platforms without proper authorization and oversight. The incident demonstrates the need to adhere to established security protocols and ensure that any tools or platforms used for work purposes are vetted and approved by the organization's IT and compliance departments.

Shadow IT increases the attack surface and introduces data leakage risks, especially when personal devices or unvetted platforms handle sensitive information.

Go deeper: How to protect patient data against insider threats?

Mitigation tips:

• Educate employees on approved tools.
• Use network monitoring to detect unauthorized applications.
• Provide secure alternatives to commonly used shadow IT tools.

Third-party vendor risks

Businesses rely on a complex web of partners, from cloud providers to HVAC contractors. Every third party with access to your systems or data is a potential vulnerability.

Example: ​An example of third-party vendor risk in the healthcare sector occurred in 2022, involving OneTouchPoint (OTP), a mailing and printing vendor. In April of that year, OTP detected encrypted files on certain computer systems, indicating unauthorized access that began on April 27. The breach affected 34 healthcare organizations, including major entities like Geisinger and Kaiser Permanente. Exfiltrated files contained sensitive patient information, such as names, member IDs, and health assessment details. The incident underscores the critical importance of ensuring that third-party vendors adhere to stringent cybersecurity measures to protect patient data.

Read more: OneTouchPoint Discloses Data Breach Impacting Over 30 Healthcare Firms

Mitigation tips:

• Perform due diligence on vendor security practices.
• Require compliance with cybersecurity standards (e.g., SOC 2, ISO 27001).
• Limit third-party access to only the systems necessary for their function.

Related: What is vendor compromise?

IoT vulnerabilities

The rise of the Internet of Things (IoT) has revolutionized industries, but it’s also created new security challenges. Many IoT devices lack robust security features, making them easy targets.

Example: ​A notable example of an Internet of Things (IoT) vulnerability in the healthcare sector occurred in 2023, involving a ransomware attack that exploited default credentials in IoT-enabled heart monitors. In this incident, a ransomware group targeted a chain of clinics by leveraging factory-set passwords like "admin123" on connected heart monitoring devices. The attack disrupted emergency services for 72 hours until a $1.2 million ransom was paid. Investigations revealed that the devices' default credentials had never been updated, highlighting a critical oversight in securing IoT medical equipment.

Read also: Network Security for IoT Devices: Mitigating Risks in Connected Healthcare Systems

Mitigation tips:

• Segment networks to isolate IoT devices.
• Change default passwords and disable unused services.
• Apply firmware updates regularly.

Learn more: Best Practices for securing medical IoT devices

Outdated or unpatched software

Despite widespread awareness, unpatched systems remain one of the most common ways attackers gain entry. 

Why is this still a problem? Patching can be complex, disruptive, and resource-intensive, especially for legacy systems. But the cost of inaction is far greater.

Example: ​A recent and significant example of outdated or unpatched software leading to a major cybersecurity incident in the healthcare sector is the February 2024 ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group. The attackers exploited a server that lacked multifactor authentication (MFA), a fundamental security measure, allowing them to gain unauthorized access using compromised credentials. This oversight enabled cybercriminals to infiltrate the system, encrypt critical data, and exfiltrate up to 4 terabytes of sensitive patient information.

Go deeper: Going deeper: The Change Healthcare attack

Mitigation tips:

• Automate patch management where possible.
• Prioritize high-risk vulnerabilities.
• Establish a regular update schedule.

See also: Software updates to prevent cyberattacks

Social engineering beyond phishing

While phishing emails get most of the attention, social engineering encompasses a broader range of tactics, including baiting, pretexting, and even physical intrusion.

Social engineering attacks exploit human psychology and trust, not technology.

Example: ​A notable recent example of social engineering in the healthcare sector occurred in May 2024, involving Ascension Health, one of the largest non-profit health systems in the United States. In this incident, cybercriminals employed social engineering tactics to deceive an employee into downloading malware, leading to a significant ransomware attack. The breach disrupted clinical operations across Ascension's 140 hospitals in 19 states, forcing some facilities to divert emergency care and putting patient safety at risk. Investigations revealed that sensitive patient data, including health records, was exfiltrated during the attack. This incident underscores the critical importance of fostering a culture of cybersecurity awareness within healthcare organizations, emphasizing the need for regular training and vigilance against social engineering threats.

Read more: Ascension cyberattack caused by employee downloading malicious file

Mitigation tips:

• Train employees on recognizing and reporting suspicious behavior.
• Implement verification procedures for access requests.
• Restrict physical access to critical systems.

Poor password hygiene

Despite years of guidance, weak, reused, and shared passwords remain a primary cause of account compromises.

Example: A 2023 data breach at Medical Informatics Engineering (MIE), a provider of electronic medical records software, clearly illustrates the dangers of poor password hygiene. In this incident, attackers gained unauthorized access to one of MIE’s servers using a compromised username and password. Due to the weak access controls, the attackers remained undetected for 19 days, during which they were able to access sensitive data belonging to at least 11 of MIE’s healthcare clients.

Even with strong password policies, without multi-factor authentication (MFA), accounts remain vulnerable.

Mitigation tips:

• Enforce strong, unique password requirements.
• Implement MFA across all critical systems.
• Promote the use of password managers.

Related: Common password attacks and how to avoid them

Lack of incident response planning

Many organizations invest heavily in tools and strategies to prevent cyberattacks, such as firewalls, antivirus software, and employee training, but often neglect to develop a robust incident response plan. This oversight means that when a breach does occur, they are unprepared to respond quickly and effectively.

Example: The Change Healthcare February 2024 cyberattack demonstrates the consequences of inadequate incident response planning in the U.S. healthcare sector. As a subsidiary of UnitedHealth Group, Change Healthcare experienced a major ransomware attack that brought its operations to a standstill, disrupting the processing of electronic payments and medical claims nationwide. Hospitals, pharmacies, and clinics were unable to handle insurance transactions, leading to widespread delays, financial strain, and compromised patient services.

Mitigation tips:

• Develop and test a comprehensive incident response plan.
• Include communication strategies for customers, regulators, and stakeholders.
• Conduct tabletop exercises and update the plan regularly.

Regulatory non-compliance risks

Failing to meet cybersecurity regulations like HIPAA, GDPR, or PCI-DSS isn’t just a legal issue, it’s a security failure. Yet, many organizations underestimate the complexity of staying compliant.

Example:An example of regulatory non-compliance risks in the healthcare sector is the 2024 cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group. The breach compromised protected health data, prompting the U.S. Department of Health and Human Services (HHS) to launch an investigation into whether UnitedHealth complied with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA mandates that healthcare entities report breaches to affected individuals within 60 days of discovery. However, the unprecedented scale of this attack complicated compliance with these reporting obligations. The investigation aims to determine if UnitedHealth adhered to HIPAA requirements and to assess the extent of the data breach.

Mitigation tips

• Appoint a compliance officer or team.
• Regularly audit and document processes.
• Stay updated on changing regulations.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

Why is cybersecurity important in the healthcare industry?

Healthcare organizations manage sensitive personal and health information, making them targets for cyberattacks. A breach can lead to data theft, disrupted services, legal consequences, and loss of patient trust.

What happens if a healthcare organization is non-compliant with HIPAA?

Non-compliance can result in significant fines, legal action, and reputational damage. It can also lead to increased scrutiny from regulators and loss of patient trust.