Healthcare Cybersecurity. PHOTO: Cybercrime Magazine.

Healthcare Industry To Spend $125 Billion On Cybersecurity From 2020 to 2025

Cybercriminals are taking advantage of hospitals and medical practices focused on COVID-19

The 2020-2021 Healthcare Cybersecurity Report is sponsored by Herjavec Group, a leading global cybersecurity advisory firm and Managed Security Services Provider (MSSP) with offices across the United States, Canada, and the United Kingdom.

Steve Morgan, Editor-in-Chief

Sausalito, Calif. – Sep. 8, 2020

Healthcare spending in the U.S. — which is the highest among developed countries — accounts for 18 percent of the nation’s gross domestic product, or about $3.5 trillion, according to the Centers for Medicare & Medicaid Services, and that figure is projected to soar over the next decade.

One report predicts that global healthcare spending will rise from nearly $8 trillion (USD) in 2013 to more than $18 trillion in 2040.

By and large, the tantalizing target on healthcare’s back has been attributable to outdated IT systems, fewer cybersecurity protocols and IT staff, valuable data, and the pressing need for medical practices and hospitals to pay ransoms quickly to regain data.

Cybersecurity Ventures predicts the global healthcare cybersecurity market will grow by 15 percent year-over-year over the next five years, and reach $125 billion cumulatively over a five-year period from 2020 to 2025.

What’s driving this astronomical investment into cyber defense? Cyber offense. Namely, a vast number of wide-ranging hacks and data breaches launched on hospitals and healthcare providers.

Cybercrime Radio: Former FBI Agent & Cybersecurity Expert Scott Augenbaum

Healthcare suffers 2-3X more cyberattacks than financial services

A year ago, well before the COVID-19 pandemic, The Wall Street Journal reported that cyberattacks on healthcare providers and hospitals had intensified to the point where some doctors were turning away patients.

But wait, it gets worse.

Some healthcare centers turned off their lights and pulled the plug on their operations altogether. Apparently they couldn’t handle the post-attack disruption to their operations.

A medical clinic in Simi Valley, Calif. shut its doors after being infected by a ransomware attack. An ear, nose, throat (ENT) and hearing center in Battle Creek, Mich. closed after a data hack wiped out all of its files.

“Healthcare organizations experience very particular security challenges and it’s not because the cyberattacks are unique, but because of what’s at stake,” says Robert Herjavec, founder and CEO of Herjavec Group, a leading global cybersecurity firm and Managed Security Services Provider (MSSP).

IoT insecurity.

Kathy Hughes, CISO (chief information security officer) at Northwell Health, one of the nation’s largest healthcare systems, told Cybercrime Magazine that IoT (Internet of Things) devices are, in her opinion, computers with operating systems (OS), similar to other types of computers — and those devices are susceptible to the same cyber threats. She added that IoT devices have a small OS and that security is a bolt-on rather than built-in.

Inside jobs.

The insider threat is the number one security challenge for hospitals, according to Hughes, who is responsible for protecting 68,000 employees, which makes Northwell, a non-profit, New York state’s largest private employer.

More than half of insider fraud incidents within the healthcare sector involve the theft of customer data, according to CMU SEI (Carnegie Mellon University Software Engineering Institute).


Hacking patients’ medical devices is a common cyberattack during the COVID-19 pandemic because more patients are using remote care, according to Natali Tshuva, CEO and co-founder of Sternum, an IoT cybersecurity company that provides medical device manufacturers with built-in security solutions.

The temporary and makeshift medical facilities being used to care for people infected with the novel coronavirus have created more vulnerabilities for hackers to exploit.

COVID-19 phishing exploded earlier this year, according to research from KnowBe4, a leading security awareness training provider. Many of the scams seemed to come from organizations such as the World Health Organization and the Centers for Disease Control. Already overburdened healthcare IT and cybersecurity teams have been tasked to keep up on these new threats.

Herjavec Group Helps with Phishing Scams

Protecting Sharp Healthcare, San Diego’s largest healthcare provider

Healthcare Cybersecurity Statistics

To sum up the state of cybersecurity in the healthcare industry, the editors at Cybercrime Magazine have compiled the following data points:

  • Cybersecurity Ventures predicts that healthcare will suffer 2-3X more cyberattacks in 2021 than the average amount for other industries. Woefully inadequate security practices, weak and shared passwords, plus vulnerabilities in code, exposes hospitals to perpetrators intent on hacking treasure troves of patient data.
  • Ransomware attacks on healthcare organizations were predicted to quadruple between 2017 and 2020, and will grow to 5X by 2021, according to a report from Cybersecurity Ventures.
  • The Secretary of U.S. Department of Health and Human Services (HHS) Breach of Unsecured Protected Health Information lists 592 breaches of unsecured protected health information affecting 500 or more individuals within the last 24 months that are currently under investigation by the Office for Civil Rights. 306 of the breaches were submitted in 2020.
  • Cybersecurity blogger and author Brian Krebs reported late last year that hospitals hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts. This is according to a study by Vanderbilt University.

Fake tumors?

The scariest of all cyber malintent in the healthcare space may lie ahead.

Researchers in Israel announced last year that they’d created a computer virus capable of adding tumors into CT and MRI scans — malware designed to fool doctors into misdiagnosing high-profile patients, according to a story by Kim Zetter in The Washington Post.

Saving lives.

“Patients’ lives are at stake,” says Herjavec. “If a cyberattack happens in healthcare, then health records can be stolen, life-saving devices can be disrupted — you name it. Unfortunately, these challenges are only intensifying as the COVID-19 pandemic accelerates digital transformation.”

Herjavec has been warning about ransomware attacks on hospitals and healthcare providers for more than three years.

Healthcare providers, boards and C-suite executives need to take the cyber threat as seriously as Herjavec does. Nobody wants a patient death to be a wake-up call for cybersecurity.

Get the PDF version of this report.

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.

Our Sponsor

At Herjavec Group, cybersecurity is what we do. Dynamic IT entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. We have expertise in comprehensive security services including Managed Security Services & Professional Services (Advisory Services, Identity Services, Technology Implementation, Threat Management & Incident Response). Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.