11 Things the Health Care Sector Must Do to Improve Cybersecurity

  • Colgate-Palmolive Co.: The Precision…

    8.95ADD TO CART
  • Paul Levy: Taking Charge of the Beth Israel…

    8.95ADD TO CART
  • Barbara Norris: Leading Change in the General…

    8.95ADD TO CART

No industry or sector is immune to hacking. That reality was made painfully clear in mid-May, when a cyberattacker using WannaCry ransomware crippled health care institutions and many other kinds of organizations around the world. In 2015 over 113 million Americans health records were exposed, and in 2016 the number was over 16 million, according to reports submitted to the U.S. Department of Health and Human Service’s Office for Civil Rights. At the beginning of 2017 Experian predicted that the health care sector would be the most heavily targeted vertical industry. A March 2017 report from the Identity Theft Resource Center indicated that more than 25% of all data breaches were related to health care. The estimated loss to the industry is $5.6 billion per year. These stats should be a wake-up call for the entire industry.


  • The Leading Edge of Health Care

    How the most innovative providers are creating value.

There are three reasons health care is the source of so much stolen data right now. First, health care data can be monetized. For instance, cybercriminals can use medical data to sell fake identities, construct synthetic identities, and enable someone to conduct medical identity theft. If that doesn’t work, they can use the stolen information for traditional identity theft, since medical information tends to include enough information to allow a criminal to open a credit card, bank account, or loan in the victim’s name. If neither of those works, cybercriminals can use ransomware to extort health care organizations to pay them money to regain access to compromised systems and data.

Second, health care organizations have been slow to adopt practices that have worked for other industries. Most health care portals, for example, don’t have strong multifactor authentication. Many medical personnel are unaware of the risks to data security (which is ironic given the strong emphasis on patient privacy). And health care organizations tend to have smaller security budgets and teams than financial services organizations.

Finally, as other industries have become more sophisticated in detecting and blocking cyberattacks, criminals have had to find new sources of data. Aside from the fact that health care institutions collectively hold information on the vast majority of the population, their IT systems also have links to financial services (e.g., flexible spending accounts with their own debit cards or health savings accounts that can have five-figure balances after two to three years).


Given that most transactions in the health care sector are conducted through vulnerable hardware and software, it’s critical for providers and payers to strengthen their cybersecurity. For an example of how to proceed, they can look to the financial services industry, where some of the most well-known examples of cyberattacks in the last decade have occurred. This turmoil led to huge operational shifts in the financial services sector, where there’s more focus than ever on consumer education, industry information sharing, and stronger forms of authentication, among other