Cybersecurity in Healthcare Organizations

Perhaps more than any other organization, healthcare organizations have to most to lose when it comes to cybersecurity attacks. With loads of protected health information (PHI) and billing information, the healthcare sector has lots of risks and lots at stake.

In this blog, we will walk you through some of the most common cybersecurity threats in healthcare so that your team can get ahead of them.

Understanding Cybersecurity Threats in Healthcare

Almost any business, no matter the size, and no matter the industry, has something to lose in a cybersecurity attack. But in the healthcare industry, there is simply more at stake. As it should be, patient data is highly protected. HIPAA compliance is perhaps one of the most cumbersome things in the industry, but it’s there for an important reason. The implications of not taking cybersecurity seriously include:

  • a ransomware attack causing failed care delivery, which in the worst scenarios, could lead to death (see this case in Germany in 2020)
  • lawsuits from patients whose data was leaked
  • financial loss from having to pay ransom in a ransomware attack
  • financial loss from other fallout of the cyberattack
  • negative press surrounding your institution, lack of trust from the public, etc.

Clearly, your healthcare organization doesn’t want to deal with any of that! Learn where your organization could be the most vulnerable below.

Common Security Breaches in Healthcare

Perhaps a silver lining to this problem is that the vulnerabilities in healthcare organizations are fairly predictable, so they’re easy for professional IT companies to spot and troubleshoot. If you read this list and see that your organization is vulnerable, don’t hesitate to give us a call at ABQ-IT so we can help you take the steps you need to secure your business.

Outdated Legacy Systems

The healthcare industry is increasingly relying on new technology—from electronic health records to robots that can do surgery. But new technology is expensive, and not all healthcare organizations are excited about jumping on board with all the new technology that comes their way.

But while you may have your hesitations on adopting new tech, financial or otherwise, outdated, legacy systems are the most vulnerable to a cyber attack.

And, legacy systems, by their very definition, aren’t supported by their manufacturers, so they aren’t able to get the latest updates that address cybersecurity vulnerabilities. In the case of unsupported medical devices, it simply means that you won’t have any support from the manufacturer and would definitely be considered liable should that hardware lead to a breach.

New software and new hardware (medical devices) will have the most updated cybersecurity measures built in and will be compatible with manufacturer updates and be eligible for support surrounding cybersecurity concerns.

Vendors/Market Suppliers Susceptibility

Even if your organization has done everything it can to protect the business, working with third-party vendors is an inevitable risk to cybersecurity in health care. Data shows that more than half of all organizations have experienced a cyber threat because of their relationship with a third party.

Hackers get a two-for-one when they attack a business that has access to another business’ information, and this is certainly true for vendors that work with multiple clients in the healthcare industry.

We’re not saying you should stop working with third parties. Of course, you will need to at times. But we are encouraging you to ask the questions. Don’t just assume that any third party you’re working with understands HIPAA compliance and has all the same safety measures in place that your organization does. Do your research, too, because if the company has a bad history of cyber attacks, that will appear in a web search.

Once working with a third party, use the “principle of least privilege”—only share the least amount of information possible. It’s in both your and the third party’s best interest to stay secure, so ideally, you shouldn’t get any pushback from third parties surrounding these requests.

E-mail & HIPAA Compliance

One of the most seemingly innocent places where healthcare facilities can be vulnerable is with email and HIPAA compliance. Larger organizations are likely to have an ironclad system for email already. But we often see with smaller or newer healthcare providers that email can be a common place where protected health information slips through the cracks.

Imagine you’re a private practice medical practitioner. When striking out of your own, it may not be your highest priority to ensure that your email communication with your patients is encrypted or that you’re using a secure portal for all online communication.

However, should you, or anyone on your team’s, unencrypted email get hacked, not only are you out of compliance with HIPAA, but you’re at the mercy of your attacker and what they chose to do with that protected data.

It’s not hard to find a CRM or software that integrates with your operating systems ensuring all your communication with clients/patients is encrypted and safe.

Employees and Social Hacking/Social Engineering

While your team is the heartbeat of your organization, they can also be the biggest liability when it comes to getting hacked. Social hacking or social engineering is when a hacker uses real-life situations to gain access to private information.

They do this by any number of methods, including dumpster diving for documents that should have been shredded, posing as an employee or an official, posing as an IT technician, and even stealing tablets or laptops.

Lax security measures and uneducated and/or lazy staff lead to social engineering successes. Educating all team members about these risks is the best way to mitigate them.


Phishing is another common place where security breaches happen in healthcare. Phishing hackers don’t just target individuals but also businesses. And unfortunately, phishing scams can look very official and seemingly come from organizations that you would trust. It’s essential that healthcare organizations provide training for their team members on how to identify a phishing scam.

If an employee does follow a link in a phishing email and ends up inputting their username and password into a mirrored (and fake) site, the scammer can gain access to electronic protected health information.

Start with a Cybersecurity Risk Assessment

No matter what size healthcare organization you’re affiliated with, your next steps are vital. If you’re in an organization large enough to have a Chief Information Security Officer or a Chief Information Officer, make sure to bring up any red flags and follow all of the security rules they already have in place.

If your business is on a smaller scale, it’s smart to bring in cybersecurity professionals like ABQ-IT to do a risk assessment and advise you on how to fix any vulnerabilities your business.

As medical professionals, it is your job to know that you work in a field that deals with sensitive information and requires an extra measure of care. But it’s not your job to stay on top of the latest in cybersecurity and cyber threats—leave that to a healthcare cybersecurity specialist like us.

Schedule a risk assessment with ABQ-IT today.