Healthcare Sees 14% Increase in Data Breaches in Two Years—Here's How to Keep Your Data Secure

By: Collin Couey and Lisa Morris on May 29, 2024
On this page:

Fifty percent of healthcare organizations in the U.S. have experienced a data breach, up from 36% just two years ago.* Of these, nearly a third (32%) experienced a breach in the last three years—compromising healthcare organizations, potentially impacting millions of patients. This paints a clear picture of the significantly increased cybersecurity risk landscape in the U.S. healthcare industry.

This is why it’s crucial for small practices to have the right data security software in place to protect your patients and your practice against data risks.  A data breach or cyberattack is a massive blow to any medical organization, but it is potentially an extinction-level event for a small, independent practice when you calculate the risks or fines, lawsuits, recovery costs, and lost patients.

We’ll examine the most common attacks and what seems to be working to deter and prevent these attacks. Additionally, we’ll discuss the two types of software to help protect your data (EHRs and cloud security software), as well as specific features that make data security software so valuable.

Key findings

  • 50% of all practices have experienced at least one data breach with 32% experiencing one in the last three years.

  • Hacking (41%), malware (39%), and phishing scams (37%) are among the most common ways that data breaches occur.

  • On average, 17% of a healthcare organization’s budget in 2024 is dedicated to IT, including staff, hardware and software, employee training, and external IT support.

Malicious attacks are the most common cause of data breaches

One of the most common causes of healthcare data breaches is hacking or IT incidents. In fact, malicious hacking (41%), malware (39%), phishing scams (37%), and software vulnerability (36%) result in the largest percentages of data breaches based on our survey.

SA graphic: Main causes of data breaches in healthcare

As you can see, the number of breaches caused by attacks against security networks directly and via human error is roughly equal. You can shore up one by improving software and keeping updated on the most common types of attacks, but the other requires increased training. Of practices that experienced one or more breaches, 37% say a phishing scheme was at fault, while 30% blame employee error. Clearly, the human element must be addressed to protect healthcare data.

This is a great reason to install specific administrative protocols that reduce employee mishandling of patient records and medical data, in addition to training employees to recognize malicious attacks like phishing scams.

Key takeaway

Here’s a quick summary of these administrative best practices:

  • Device management: Keep all computers, tablets, and mobile devices used to access patient data up to date and secure.

  • User-based controls: Limit who can access patient data and implement strict password protocols to hold users accountable for carefully accessing private data.

  • Team training: Conduct regular training and refresher sessions to ensure employees have a firm understanding of the importance of data security as well as best practices.

For a detailed look at administrative practices any healthcare organization can employ to avoid a data breach, check out “Best Practices for Avoiding HIPAA Violations in Healthcare.”

Nearly one fifth (17%) of healthcare organizations’ budgets are going toward defending against cybersecurity threats

In general, healthcare organizations dedicate their IT budget evenly.

SA graphic: How healthcare organizations split their IT budget

It makes sense that the largest portion is dedicated to maintaining or upgrading existing software since most cybersecurity attacks target vulnerable, digital patient data. Digital security becomes more and more difficult to maintain due to the sheer number of types of software more healthcare organizations need to employ: 

74% of healthcare organizations spent fewer than 5 hours on IT security and data privacy training for their employees in 2023 with 35% having 2 hours or less. While malicious cyber attacks that don’t involve human error are still the primary way data breaches happen, human error accounts for a significant portion.

To prevent data breaches, healthcare organizations should devote more time and energy to staff training to help them recognize potential attacks like phishing scams. Additionally, bolstering authentication with strong password policies and requiring two-factor authentication can help mitigate risk.

Use software to help keep your data more secure

Finally, let’s bring out the big guns and discuss two of the most important software systems that can help protect you and your patients from data security breaches:

EHR security features

Using an EHR with the right security features will go a long way in keeping you and your patients’ data protected. Fortunately, most certified EHRs come with standardized features to achieve this goal.

Key takeaway

Those features to look out for are:

  • ONC-ATCB certification. This means the tool has been tested on three key areas by an Authorized Testing and Certification Body that has been recognized by the Office of the National Coordinator. Those three key areas are functionality, interoperability, and security—that’s right! If an EHR is ONC-ATCB certified, that means it has passed tests confirming it has security measures in place to keep protected health information (PHI) safe.

  • Audit trails. This feature tracks and documents every action taken with patient information, including who accessed the data, where and when they accessed data, and what changes they made once they accessed it.

  • Password protection. This includes robust controls such as lockout features that will bar access if the wrong password is entered too many times and two-factor authentication to ensure the right person is using the password to access protected data.

  • Data encryption. Not only can data encryption make transferring patient data more secure (by only allowing recipients with the right access key to decipher the data), it can also be very helpful in the event that data is stolen as it will make it harder for the thief to actually read your data.

  • Two-factor authentication (2FA): While not specifically an EHR security feature, 2FA should be necessary for access to any software that includes vulnerable patient data. 89% of healthcare organizations surveyed use 2FA for at least some of their applications with 39% of those using it for all applications. Setting up 2FA should be standard practice for all healthcare IT professionals.

It’s important to note that no single one of these security measures is enough to protect your data. They all work best in tandem with one another in a coordinated security system.

Read more about the most important features of secure EHRs.

Cloud security software for healthcare providers

If a secure EHR is one side of the data security software coin, cloud security is the other side.

The beauty of a cloud security system that is specifically geared toward the healthcare industry is that it automates so many processes associated with data security. For example, HIPAA requires covered entities (e.g., medical practices) to run regular risk assessments in order to identify any vulnerabilities and address them.

In order to stay compliant, consider dedicating an entire team to manage your cybersecurity policies and needs. Most healthcare organizations (70%) have a dedicated employee or department to manage their cybersecurity policies, but roughly 1 in 6 (15%) outsource to a third party service provider.

Most HIPAA-compliant cloud security systems are capable of running these assessments automatically. Some other common features of this type of software include:

  • Threat detection and response: Using analytics and other tools, the software can identify attacks as they’re happening and also help users respond immediately to protect their data.

  • Malware protection: Software actively searches for malicious software or code, viruses, trojans, worms, etc.

  • File integrity monitoring: Ensures all files are secure and protected against unauthorized access or changes.

For small, independent practices that are delving deeper into the digital healthcare experience, having these robust security tools in place will go a long way to protecting patient data. They’ll also provide peace of mind, which is a valuable commodity in this day and age.

Choosing the right data security software

Some practices already have secure EHRs and cloud security systems in place. Some are working with a good EHR, but haven’t installed a cloud security system. Others are starting completely from scratch.

Regardless of your situation, it’s a good idea to run an assessment on your current software security stack to make sure your healthcare cybersecurity is covered. If you identify any gaps in your EHR security features or cloud security system, it’s wise to get those covered as quickly as possible.

When you’re ready to look further into secure EHRs or cloud security software, reach out to a software advisor by scheduling a call or chatting whenever it’s convenient for you.


Survey methodology

Software Advice’s 2024 Medical Cybersecurity Survey was conducted online in March among 296 respondents working at healthcare organizations in the U.S. to learn how medical practices are fighting back against cyber threats. Respondents were screened to have IT management, data security, data management, or security training or audit responsibilities. Organizations that outsource 100% of their IT management or cybersecurity needs were excluded from participating.

*Software Advice's Healthcare Data Security Survey was conducted in February 2022 among 259 U.S. healthcare workers to learn more about security practices at healthcare organizations. Respondents were screened for employment at U.S. healthcare practices and at least partial responsibility for IT management and/or data security.