Digital transformation exposed systems to a mounting wave of cyberattacks, resulting in healthcare data breaches that affect millions of Americans every year.
Breaches of unsecured protected health information have affected over 42.7 million United States citizens thus far in 2023, according to reports from the U.S. Department of Health and Human Services (HHS) Office of Civil Rights.
This is a 50% increase from the 28.4 million Americans affected in the same period in 2022 and surpasses the 39.9 million affected individuals in the entire year of 2021.
Although the number of cybersecurity breaches slightly declined this year, the dramatic increase in affected individuals suggests that criminals are targeting larger networks.
For example, a recent ransomware attack against the Centers for Medicare & Medicaid Services (CMS) jeopardized the personal information of more than 254,000 Medicare beneficiaries.
"Hackers can exploit various entry points, ranging from physical medical devices in and outside of medical facilities to gaining unauthorized access to networks from nearly any connected device, medical or not. The implications of such attacks can be far-reaching, affecting patient privacy, interrupting healthcare services, and jeopardizing the safety and effectiveness of medical devices," says Ashley Clarke, Medical Analyst at GlobalData.
Cybercriminals are increasingly targeting companies making medical devices. Last year, the U.S. Food and Drug Administration (FDA) warned that hackers might have gained access to the Medtronic insulin pump system and could compromise the pump's insulin delivery.
Another prominent medtech company, Becton Dickinson, recently identified cybersecurity vulnerabilities in its Alaris infusion pump system. If successfully exploited, they could allow criminals to compromise sensitive data and hijack a session, the U.S. Cybersecurity and Infrastructure Security Agency warned.
To counter increasing cybersecurity threats, the FDA introduced new guidelines for medical device manufacturers in March 2023. These guidelines require manufacturers to submit a plan to monitor, identify, and address post-market cybersecurity vulnerabilities when applying for new pre-market authorizations.
“This approach is a start to enforcing a minimum level of security and encouraging routine cybersecurity testing to identify and address vulnerabilities before they can be exploited. However, older devices and non-medical devices connecting to remote patient monitoring and telehealth services could still pose a significant risk,” Clarke adds.
Healthcare, along with financial services and manufacturing, were the top three industries mainly impacted by cybersecurity breaches in 2021. According to a 2022 report from Proofpoint Inc. and the Ponemon Institute, 89% of the surveyed healthcare organizations experienced an average of 43 cyber attacks in the past 12 months.
- Proofpoint Inc. Cyber Insecurity in Healthcare: The Cost and Impact on Patients Safety and Care.
- U.S. Cybersecurity and Infrastructure Security Agency. BD BodyGuard Pumps.
- Global Data. Alarming surge in healthcare cybersecurity breaches warrants improved protection measures, says GlobalData.