More Than One in Four Ransomware Attacks on Healthcare Organizations Affect Patient Care—Here’s How To Better Protect Yourself

According to Software Advice’s 2024 Healthcare Data Security Survey,* 87% of data held by today’s medical practices is digital. That means the vast majority of medical data is vulnerable to cyberattacks and data breaches, which can lead to privacy violations for patients and compliance violations for practices. This threat is compounded by the sheer volume and complexity of data that medical practices must organize and protect.

In fact, 50% of healthcare organizations in the U.S. have experienced a data breach, with 32% experiencing one in the last three years.

To help keep data more secure, healthcare organizations need to increase their employee training, and create, maintain, and update a cybersecurity response plan.

42% of practices have experienced a ransomware attack

Nearly half (48%) of ransomware attacks on medical practices impact patient data—and more than one in four impact patient care (27%). This highlights the specific vulnerability that medical practices have compared to other types of businesses. 

For most businesses, downtime resulting from a cyberattack impacts production, profits, and even reputation—but when systems go down at a healthcare facility, medical records become inaccessible, devices malfunction, and critical procedures are delayed.

Not only are practices the target of ransomware attacks, but more than one in three (34%) fail to recover patient data from their attackers. This leaves important patient data in the hands of hackers and compromises a patient’s safety even if backups of the data are available.

That’s why having a cybersecurity response plan is critical to helping prevent and protect patient data from cybersecurity attacks, as well as for the long-term profitability and growth of your practice. 

Only 63% of healthcare organizations have a cybersecurity response plan in place

A cybersecurity response plan is a documented process that details how those involved in a cybersecurity attack should respond to security breaches. Creating, maintaining, and updating your cybersecurity response plan can lead to quicker response times to security breaches, which might give you the time to recover patient data before malicious attackers can access it. 

Only 63% of surveyed healthcare organizations have a plan in place, leaving 37% without one.

By making sure everyone knows their role and responsibilities ahead of an attack, there’s no ambiguity about what any one person should be doing to help stop the breach and recover patient data. Without a formalized plan in place, your IT staff might have several people focused on the same problem, potentially allowing a more important issue to persist and leading to an increase in lost time and data.

If your practice is among the 37% that don’t have a cybersecurity response plan in place, you should make it a priority. 

55% of the medical practices allow access to more data than employees need to do their job

Human error results in nearly the same amount of data breaches as targeted, malicious attacks against data security.

In 2023, 74% of healthcare organizations spent fewer than 5 hours on IT security and data privacy training for their employees, with 35% spending 2 hours or less. 

To prevent data breaches, healthcare organizations should devote more time and energy to staff training to help them recognize potential attacks like phishing scams. To mitigate cybersecurity threats, it’s critical that employees are only provided access to the data needed for their role. 

Medical practices must focus on strategies such as restricting network privileges, strengthening access policies, and deploying network segmentation so that access to some data doesn’t mean access to all of it.

What does this mean for doctors?

Let’s recap the highlights:

To help mitigate cybersecurity threats, healthcare organizations must create, maintain, and update a cybersecurity response plan that includes defined roles and responsibilities, communication protocols, and a prioritization list. 

Additionally, practices should implement user-based controls that limit who can access which data while simultaneously implementing more strict password protocols to hold users accountable.

Finally, healthcare organizations need to increase the amount of employee training required to help staff recognize malicious attacks such as phishing so that they are better able to help stop data breaches and report suspicious activity.

If you’re interested in reevaluating your cybersecurity software or medical software stack, reach out to a software advisor by scheduling a call for a free software consultation.