According to Cybersecurity in Healthcare: A Review of Recent Attacks and Mitigation Strategies, cyberattacks “have significantly increased in recent years.”

More specifically, the research review notes how cyberattacks are a threat to healthcare organizations due to “inadequate security measures,” “antiquated practices,” and the concentration of “sensitive data, including usernames, passwords, and medical records.” The review also adds that “cybersecurity has not gotten enough attention in the healthcare sector, despite being crucial for patient safety and a hospital's reputation.”

 

Methods of cyber-attack on hospitals

Injection attacks and malware

Injection attacks are one of the earliest forms of cyber intrusion, with attackers inserting malicious code into a system to manipulate its behavior. As described in the abovementioned research, “a web application may be ‘injected’ with malicious data by an attacker, affecting the way it operates by directing it to execute certain commands.”

Malware is a common manifestation of this attack vector, defined as “any computer code written with the purpose of gaining unauthorized access to digital devices and IT infrastructures.” Within this category, there are also different ransomware subtypes such as SamSam, Locky, and Netwalker.

  • SamSam: This ransomware targets weaknesses in remote access systems, and once it gains access into hospital networks, it deploys ransomware to lock systems and demand payment.
  • Locky: Spreads through malicious email attachments or links and encrypts files. It then locks access to files so they cannot be opened without a decryption key.
  • Netwalker: Spreads via phishing emails or infected downloadable files and moves across entire networks once inside. The ransomware then encrypts all connected Windows-based devices, effectively shutting down operations.

Other documented cases, like the WannaCry cyberattacks, have rendered hospital systems unusable, preventing access to patient records, diagnostic tools, and communication platforms, ultimately impacting patient care.

Related:

 

Social engineering and phishing

The human factor is still the most insidious threat the healthcare system faces. Malicious actors use social engineering tactics to manipulate victims into giving them sensitive information. As the research explains, this method “uses interpersonal interactions to prey on psychological flaws in the victim to persuade them to divulge critical information.”

Phishing is a prominent example in which attackers trick users into clicking on malicious links or downloading harmful software. These attacks often seem like legitimate communications, making them difficult to detect. Once access is gained, attackers can access broader systems and bypass technical safeguards with compromised credentials.

 

Denial-of-service (DoS) and Distributed denial-of-service (DDoS) attacks

Denial-of-service attacks “mostly focus on consuming resources, including memory or computing power,” shutting down hospital services. Distributed denial-of-service (DDoS) attacks amplify this effect by using multiple compromised systems to target a single network.

A DDoS attack on a hospital can disable appointment systems, electronic health records, and communication platforms simultaneously. As evidenced by the research review, these attacks can make it “difficult to pinpoint the attack's origin,” complicating response efforts. Moreover, the consequences may extend outside of hospital operations, where “patients may suffer as a result of these attacks.”

 

Systemic vulnerabilities and institutional response

The research shows that some institutions resorted to shutting down entire systems as a containment measure. While it can be effective in limiting damage, it shows a lack of proactive strategies.

Their lack of preparedness is evident as many hospitals in the study “did not have defined strategies or backup plans to deal with intrusions.” Their reactive posture shows a “disregard for cybersecurity,” further exacerbated by outdated technologies such as unsupported operating systems.

Go deeper: How legacy systems disrupt patient care

 

How to implement mitigation strategies

Proactive incident response frameworks

For hospitals to have an effective cybersecurity system, the organization must have an incident response framework. These frameworks must contain multiple steps, including:

  1. "Planning and preparation
  2. Detection
  3. Analysis
  4. Evaluation
  5. Containment and eradication
  6. Recovery
  7. Post-incident activities.”

For example, for planning and preparation, hospitals should determine roles and responsibilities for staff members involved in incident response, conduct regular training and drills, and check that all systems are regularly updated and patched to minimize vulnerabilities. Additionally, hospitals should have a communication plan in place so that all stakeholders are informed during a cybersecurity incident.

Detection may include implementing intrusion detection systems, monitoring network traffic for unusual activity, and conducting regular vulnerability assessments to identify potential threats. Using a HIPAA compliant email solution, like Paubox, will help safeguard patients' protected health information (PHI) and maintain federal compliance. Paubox also scans inbound emails for malware and phishing attempts, preventing healthcare data breaches.

If an organization’s security team identifies a potential data breach, it must be analyzed and verified, followed by containment measures that isolate the affected systems. Next, recovery should help restore normal operations and address underlying vulnerabilities.

Finally, post-incident evaluations can help organizations learn from their mistakes and improve their overall security, so they are better prepared for future threats.

 

Advanced security architectures

The review on cybersecurity in healthcare alludes to artificial intelligence (AI) and blockchain technologies as promising solutions for better healthcare cybersecurity.

AI can analyze large volumes of data to identify patterns indicative of cyber threats, allowing early detection and intervention. For example, the system’s “data layer gathers information from patient sensors, including temperature and heartbeat,” while also collecting potential malware samples. These are then analyzed to detect vulnerabilities and identify patterns associated with cyber threats.

Blockchain technology, meanwhile, provides a secure and decentralized method for storing and transmitting data, reducing the risk of unauthorized access or data manipulation regarding diagnoses, symptoms, and treatment plans.

 

Intrusion detection and machine learning models

Machine learning models can also be used for intrusion detection. More specifically, techniques like stacked autoencoders can help identify anomalous behavior within network systems.

This process involves multiple stages, including data preprocessing, feature extraction, and behavioral classification. It distinguishes between normal and intrusive activities, giving alerts and allowing quick responses.

Integrating these technologies will also increase the healthcare organizations’ capacity to detect and mitigate threats before they escalate into major disruptions.

 

Risk mitigation and organizational policy

At the organizational level, risk is defined as “the potential for loss or harm if an attacker exploits a security hole.” “Many healthcare institutions, however, continue to lack adequate security protocols, leaving them open to intrusions.”

To mitigate this risk, organizations must reduce the likelihood and impact of cyberattacks. They must implement firewalls, update software and hardware, and conduct regular security assessments. Additionally, healthcare organizations must develop in-depth security policies that state security roles, responsibilities, and procedures.

For example, specific employees may be designated as security officers, responsible for monitoring and responding to potential threats. These security officers should also be trained on the latest cybersecurity best practices and protocols to ensure they are equipped to handle any potential threats effectively.

 

Training and human factors

Given the prevalence of social engineering attacks, healthcare organizations must train employees on cybersecurity. As the research review states, institutions must “instruct employees on how to spot and handle online threats.” Staff must know how to recognize phishing attempts, handle PHI securely, and respond appropriately to potential threats. They must be clued up on technical training and improving their vigilance.

Related: How to build and sustain a culture of security

 

Reframing cybersecurity as patient safety

The severity of recent cyberattacks requires us to change our perspective on how cybersecurity affects healthcare. Cyberattacks result in “system failures, reputational damage, and other associated problems,” but their biggest impact lies in their potential to harm patients. Delayed treatments, inaccessible records, and disrupted services all contribute to adverse outcomes.

Therefore, it isn’t enough to treat cybersecurity as a technical or administrative issue. Rather, it must be integrated into patient safety and clinical governance.

Moreover, data breaches can erode patient trust and have long-term implications for healthcare systems. Patients rely on institutions to protect their information and provide consistent care.

 

FAQs

Does HIPAA apply to phishing attacks in healthcare?

Yes, phishing attacks in healthcare fall under the Health Insurance Portability and Accountability Act (HIPAA) regulations. Phishing attacks compromising the privacy and security of protected health information (PHI) can lead to severe penalties, including fines and reputational damage.

 

What is PHI?

Protected health information (PHI) is any detail that links a person to their health data. It includes names, medical conditions, contact details, treatment notes, or anything that can identify a patient.

Go deeper: When does medical data qualify as PHI under HIPAA?

 

What is ransomware?

Ransomware is malicious software that encrypts a victim's data, with attackers demanding payment to restore access or prevent data leaks.