Article August 3, 2021

Cyber security issues in healthcare

The healthcare industry has always been particularly vulnerable to cybersecurity threats. Digital health and eHealth are taking the industry by storm, transforming everything from patient monitoring to diagnosis, and making effective cyber security increasingly essential to the industry. As cyber criminals become more sophisticated and orchestrate more elaborate attacks, cybersecurity challenges in healthcare will also continue to evolve and become more common. Data breaches, malware, cloud threats, misleading websites, phishing attacks, and attacks on medical devices are just a handful of the most common cyber-attacks that the healthcare industry faces.

Why is the healthcare industry a target for cyber crime?

There are several reasons why the healthcare industry is particularly vulnerable to cyber-attacks.

Most organizations who handle large amounts of sensitive and confidential information are targets for criminals. Withholding or selling this information has huge potential financial benefits for criminals. 

Additionally, many healthcare organizations, particularly public ones, often have little capital to invest in updating their technologies or systems. This leaves them vulnerable to cyber criminals who have discovered weak spots in security, or are able to exploit bugs in the system.

Healthcare organizations also use a large number of devices to conduct procedures, store and distribute information, creating more weak spots for cyber criminals to exploit. 

Most cybersecurity breaches attempt to obtain money, and obtaining confidential information is often seen as the equivalent to direct access to cash for many cyber criminals as this information can be sold on. Creating problems not only of general security but of patient confidentiality.

Common cybersecurity challenges in healthcare

Being aware of some of the most common cybersecurity challenges in healthcare can be the first step to understanding how criminals attempt to exploit organizations and what can be done to reduce potential weak spots within the business. Below are some of the most common cybersecurity challenges faced by healthcare organizations in recent years.

Phishing attacks

Phishing attacks are one of the most common forms of cyber-attacks affecting not just the healthcare industry, but businesses of all types and sizes as well as individuals. Phishing attacks are most commonly conducted by distributing emails, although they can also occur via telephone calls and text messages. Individuals will attempt to gain access to company files and other sensitive information by impersonating an employee or reputable company. Sometimes criminals will request information directly or use fake websites and forms to extract sensitive information.

Malware and Ransomware

Cyber criminals can also install malware and ransomware onto devices or company systems that can shut down individual devices and even entire servers. Malware is a blanket term for any viruses and harmful computer programs installed onto a computer by an unauthorized individual.  Ransomware is a common type of malware that is designed to lock access to files or systems and demand payment in exchange for re-access to the affected devices. Malware can present significant security issues for healthcare industries as it can expose PII and other sensitive information and be challenging and costly to remove and regain access to files once installed.

Threats to cloud infrastructure

Adopting cloud infrastructure is commonly seen as a method of protecting sensitive information from access to exploitation by unauthorised individuals. However, healthcare organizations should not be naive to the risks that relying solely on cloud infrastructure can pose. Ignoring updates, failing to address weak spots or over reliance on cloud infrastructure can all be exploited by cyber criminals. 

Employee errors

Employee errors can occur as a result of a lack of training or knowledge, or simply by mistake. It can be as simple as clicking on a link they believe to be legitimate, or accidentally sharing a file with an unauthorised individual. While the risk of human error can never be removed entirely, ensuring that healthcare workers are using strong passwords and are trained to spot phishing attacks and other cyber security threats can help to decrease this risk. 

Failure of digital health devices

Whether due to a malicious attack, or as a result of other systems falling victim to cyber criminals, the failure of digital health devices can present a serious cyber and health risk. While cyber criminals may have less to gain from disabling eHealth devices, they may demand a ransom to bring the affected devices back online. In some instances, the failure of such devices could mean a patient’s irregular levels go unnoticed or it can threaten their wellbeing. 


Falling victim to these attacks can not only cause financial loss, but also reputational damage and potential loss of future business. Every healthcare business should take steps to ensure that they enforce an air-tight cybersecurity policy to avoid falling victim to these common threats.

Best practices for improving cybersecurity in healthcare

While the risk of a cyber attack can never be removed entirely, there are various methods and best practices to follow to help combat the risk of cyberattacks and overcome some of the most prominent cybersecurity challenges in healthcare.

Create a security-focused culture

It is often said that employees can act as the last line of defence in the case of many cyber attacks, particularly Phishing attacks. Fostering a culture of security-first can ensure that all cybersecurity policies and protocols become second-nature to employees and workers. Regular training should also be conducted to keep employees up to date on any new threats to the industry and provide refreshers on how to spot, manage and report cybersecurity breaches so they can be dealt with before they become a larger threat. 

Anti-virus software and firewalls

Installing anti-virus software and creating firewalls can make it much more challenging for cyber criminals to infiltrate your systems. However it is important to remember that anti-virus software and firewalls cannot be solely relied upon, as scams such as Phishing attacks or offline cyber attacks cannot be spotted or prevented using these methods. To keep your anti-virus software running as effectively as possible, ensure that all employees regularly update their software when prompted to avoid unnecessary exposure. 

Routine data back-ups

Backing-up sensitive data into a secure system can aid in recovery from a cyber attack as data can be more easily retrieved and restored, minimising business disruption. For healthcare organizations, hiring cyber security professionals or buying custom-made software can ensure that there is a suitable recovery plan and countermeasures in place should an attack occur. 

Create strong passwords

One of the most commonly suggested best practices for cyber security at any organization is to encourage the use of strong passwords. Additionally, employees should be encouraged to use different passwords for different devices, programmes and systems. If employees use the same password for multiple accounts, cybercriminals need only accurately guess just one password to gain access to sensitive data across multiple programs. To help employees keep track of multiple passwords, consider a subscription to a secure password manager system.

CFC’s healthcare insurance

Keeping up to date with the latest cybersecurity trends and challenges within the healthcare industry is the first step to ensuring adequate protection of sensitive data against these threats. 

At CFC, we provide dedicated digital health insurance cover and market-leading cyber insurance for health professionals and organizations adopting more digital health and eHealth services in patient monitoring and care. Our digital health insurance and cyber insurance covers individuals and organizations in the event of medical technology errors and omissions, recovery of exposed records and PII, and failure of wearable monitoring devices. 

For more information on cyber security policies and digital health insurance products get in touch with our healthcare insurance specialists.