Healthcare Cybersecurity. PHOTO: Cybercrime Magazine.

15 Cybersecurity Statistics To Diagnose The Ailing Healthcare Industry

Spending is on the rise, but not enough to keep up with cybercrime damages  Sponsored by CyberMaxx

Steve Morgan, Editor-in-Chief

Sausalito, Calif. – Apr. 10, 2020

Healthcare is in poor shape when it comes to cybersecurity.

Cybersecurity Ventures predicts that the healthcare industry will spend $65 billion cumulatively over five years, from 2017 to 2021, on cybersecurity products and services. But after paying all those bills, many hospitals will not pass their cyber physicals.

“What does it mean if we spend that kind of money, and cybercrime still increases?” asks Scott Augenbaum, retired FBI Cyber Division supervisory special agent. He’s referring to the $6 trillion in cybercrime damage costs that the world is expected to incur by 2021, up from $3 trillion in 2015. Healthcare, one of the most cyber-attacked industries, is taking a big hit.

Healthcare cyberattacks are becoming more common and more expensive, despite the fact that they already account for extraordinary damages to medical systems, according to “The Future of Cybersecurity in Healthcare,” published by CyberMaxx, a cybersecurity firm providing its services to more than 300 healthcare providers, including four out of top 10 hospital systems in the U.S.

The CyberMaxx report, which features Augenbaum alongside a dozen industry experts and practitioners, states that as we head into the 2020s, healthcare cybersecurity professionals must work faster — and smarter than ever — to prevent, detect, and respond to attacks.

Taking Healthcare’s Temperature

To build on the CyberMaxx report, the editors at Cybercrime Magazine have compiled 15 of the latest facts, figures, predictions, and statistics, from various sources, to provide our readers with a synopsis of healthcare and cybersecurity.

1. Healthcare suffered 2-3X more cyberattacks in 2019 than the average amount for other industries, according to data in the Cisco/Cybersecurity Ventures Cybersecurity Almanac. Woefully inadequate security practices, weak and shared passwords, plus vulnerabilities in code exposes hospitals to perpetrators intent on hacking treasure troves of patient data.

2. The Department of Health and Human Services’ (HHS) Office for Civil Rights’ (OCR) breach portal reports that healthcare data breaches increased by 196 percent from 2018 to 2019, and that last year there were more data breaches reported than any other year in history. Texas topped the charts with more than 60 breaches reported, followed by California with 42, Illinois with 26, and New York and Ohio with 25 apiece.

3. More than 41 million patient records were breached in 2019, triple the number reported in 2018, according to the 2020 Breach Barometer published by Protenus, who states that for hospitals and health systems, the data compromises lead to regulatory penalties and financial costs accrue, along with the loss of patient trust, and bad publicity.

4. Personal health information is 50 times more valuable on the black market than financial information, and stolen patient health records can fetch upwards of $60 per record (which is 10-20 times more than credit card information). Medical records often contain a complete identity: name, date of birth, Social Security number and medical information — which can be used to establish a fake identity, open a credit account, or to bill fraudulently for medical procedures.

5. The 2019 HIMSS Cybersecurity Survey states that phishing scams and other forms of email fraud are the most common point of information compromise in the healthcare vertical. The survey asked healthcare providers about their organizations’ email phishing test results, and remarkably 18 percent of respondents stated their organization did NOT conduct phishing tests. And 36 percent of non-acute care organizations do NOT conduct phishing tests at all.

6. Ransomware attacks on healthcare organizations were predicted to quadruple between 2017 and 2020, and to grow to 5X by 2021, according to a report from Cybersecurity Ventures. 91 percent of cyberattacks (on all types of organizations) begin with spear-phishing email, which are commonly used to infect hospitals and healthcare providers with ransomware.

7. Ransomware incidents accounted for more than 70 percent of all malware outbreaks in the healthcare vertical for the last year tracked, according to the 2019 Verizon Data Breach Investigations Report (DBIR), which produces results based on a data set collected from a variety of sources such as publicly-disclosed security incidents, cases provided by the Verizon Threat Research Advisory Center (VTRAC) investigators, and by their external collaborators.

8. After ransomware attacks and data breaches, as many as 36 additional deaths per 10,000 heart attacks occurred annually at hundreds of hospitals, according to a new study featured on PBS News Hour. Heart attacks rank among the most common medical emergencies in the U.S., with approximately 735,000 Americans experiencing one every year.

9. Verizon’s 2019 DBIR also found that trusted insiders were responsible for 59 percent of all healthcare security incidents and breaches (both malicious and inadvertent) analyzed in the report. The DBIR indicated that the primary motivation for incidents and breaches perpetrated by insiders was financial gain.

10. Telemedicine is rising sharply, and it presents unique patient security challenges that healthcare providers are often unprepared for. The AHA states that 76 percent of U.S. hospitals connect with patients and consulting practitioners using video and other technology, and a study performed by NGBH revealed that virtually all (96 percent) of the nation’s large employers were expected to provide medical coverage for telehealth in 2019. The Centers for Medicare and Medicaid Services (“CMS”) in 2020 announced an expansion of telehealth services, widening provider access to its 62 million Medicare beneficiaries.

11. A 2019 report from Cybersecurity Ventures points out concerning data from various sources on IoMT (Internet of Medical Things): Medical devices in use by hospitals and other healthcare organizations average 20+ years of use per device, making them prime hacker targets; the average hospital room contains 15-20 connected medical devices; the amount of IoT devices in a hospital can be more than twice the number of traditional networked devices, such as laptops and smartphones. Looking ahead, by 2028, as many as 50 billion medical devices will connect to clinicians, health systems, patients, and to each other, according to research from the IBM Institute of Business. 

12. 98 percent of IoT devices are unencrypted and unsecured, exposing personal and confidential data on the healthcare organization’s networks, according to a report from Unit 42, the global threat intelligence team at Palo Alto Networks. Becker’s Health IT states that the researchers examined 1.2 million IoT devices at thousands of healthcare organizations.

13. Cybersecurity Ventures posits new exploits in patient medical devices will be the most dangerous cyber threat over the next decade. Historic data breaches compromised patient data and software. But now, hundreds of thousands — and possibly millions — of people can be hacked via their wirelessly connected and digitally monitored implantable medical devices (IMDs) — which include cardioverter defibrillators (ICD), pacemakers, deep brain neurostimulators, insulin pumps, ear tubes, and more.

14. Cybersecurity Ventures predicts that there will be 3.5 million unfilled cybersecurity jobs by 2021, up from one million positions in 2014. The labor shortage is magnified in the healthcare industry, which struggles to attract and retain the most experienced cybersecurity professionals due to its abundance of legacy systems, lower compensation, and other factors.

15. 87 percent of healthcare IT security leaders say they don’t have the personnel needed to achieve a more effective security posture, as more than half of healthcare organizations experienced a cyberattack in the past year, according to a new report from Keeper Security. Those figures are even worse than a three-year-old report from the Department of Health and Human Services’ Cyber Security Task Force which showed that 75 percent of hospitals were operating without a designated security person.

A theme of modern cybercrime is that technology advances as quickly for malicious actors as for whitehat developers, according to the CyberMaxx report. Digital cat and mouse play between hackers and healthcare providers is a thing of the past, and the future.

Our nation is sick and suffering through the novel Coronavirus pandemic. Healthcare CIOs and CISOs, and their IT security teams, cannot allow COVID-19 to distract them from phishing scams, ransomware attacks, rogue insiders, and medical device hacks that will continue to be launched on their organizations, employees, and patients.

All healthcare workers, including those in IT and security, are our nation’s heroes and we applaud their efforts. There is nothing, in our opinion, to suggest that any of the statistics in this article are of their own making. Rather, the healthcare industry has unique problems, as it relates to cybersecurity, that are not easy to solve.

With lives on the line, there is a strong demand for cybersecurity precautions that don’t slow down medical professionals. “Security has to enable the everyday functions of a hospital, not block them. We have to strive to find controls that are effective but transparent,” says Thomas Lewis, CEO of CyberMaxx.

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.

Sponsored by CyberMaxx

With more than 15 years of experience, CyberMaxx prevents, detects and responds to cyberattacks for healthcare organizations. CyberMaxx services include endpoint threat detection and response, network-based threat detection and prevention, security information and event management (SIEM) with advanced data analytics, vulnerability risk management, and incident response services.

Contact CyberMaxx for more information about healthcare cybersecurity solutions by visiting