Majority of Healthcare Organizations Witnessed Cyberattacks Last Year

Cybersecurity is a big deal for healthcare providers. 

A study by the Ponemon Institute found that 62 percent of executives experienced a cyberattack and more than half of those lost patient data last year. As security concerns grow so does protection spending. The average annual spend on IT rose from $23 million in 2016 to $30 million, with more of that going towards cybersecurity efforts.

However, leadership is also needed. Of the 627 leaders surveyed, only half said their organization employs a chief information security office, and another 75 percent said insufficient cybersecurity staffing was a problem.

According to the study, healthcare executives also remain concerned with external attacks (63 percent) and internal employee negligence (64 percent).

Research shows that the following are the top hacker trends:

  • Patient medical records (77 percent)
  • Patient billing information (56 percent)
  • Log-in credentials (54 percent)
  • Passwords and other authentication credentials to systems, servers or applications (49 percent)
  • Clinical trial and other research information (45 percent)

The most popular strategies hackers pursue include exploiting existing software vulnerabilities (71 percent) followed by web-borne malware attacks (69 percent). The study warns, that Ransomware continues to rise as “hackers are successfully earning significant income from holding systems and data hostage." 

Additionally, medical devices are also a concern, but most healthcare professionals have no plans to include them in their future security agendas.


Employee education is crucial, but not employing enough staff capable of handling security issues can also be a huge problem for securing environments. “According to responses, only 51 percent of organizations have a dedicated chief information security officer (CISO) and 60 percent surveyed don’t think they have the right cybersecurity qualifications in-house,” the survey noted.

And only half of the organizations have any type of incident response program in place at all. According to the Ponenom Institute, “this means half of all organizations have no process for the mitigation and remediation needed to respond to and prevent attacks from happening again or causing extensive damage.”

The problem that small practices must keep in mind is that if a security issue were to occur the costs and damages would be overwhelming. The best things to do are prepare, educate and invest in ways to protect against a breach.

Scott Rupp's picture

Scott Rupp


Scott E. Rupp is a writer and an award-winning journalist focused on healthcare technology. He has worked as a public relations executive for a major electronic health record/practice management vendor, and he currently manages his own agency, millerrupp. In addition to writing for a variety of publications, Scott also offers his insights on healthcare technology and its leaders on his site, Electronic Health Reporter.

comments powered by Disqus

Related Articles