eLearnSecurity Blog

Healthcare Cybersecurity Breaches Cost $6 billion a Year

Criminal attacks are the number one cause of cybersecurity breaches in the healthcare industry and is costing these companies billions annually. According to a study by research firm, Ponemon Institute, 90 percent of healthcare organizations had a security breach and 40 percent of these organizations had more than 5 data breaches in the past 2 years. A striking number and in the previous months, Anthem and Premera Blue Cross were among those highlighted as victims of these infosec hacks.

“Healthcare identity theft is really profitable. Selling stolen healthcare information on the black market pays ten times than selling a stolen credit card number.” IT Security Researcher, Davide “GiRa” Girardi says. “This information can be used to buy drugs, medical equipment or fill fake insurance claims. We all know that these things cost a lot, so do the cyber criminals.”

healthcare security
photo source: dborman

Lack of IT Security Infrastructure in Healthcare Organizations

The medical industry is spending $6 billion a year due to the rise of data breaches. Criminals are expanding their attack scope and are going after medical records rather than the usual retailers and financial firms.

The study began in 2010, and healthcare organizations have started to invest in the protection of their data, but it’s still lagging compared to the cyber threats that are rapidly increasing. Access the Report here – Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data by the Ponemon Institute

Penetration Testing & Security Awareness Training

There are two main aspects to better IT infrastructure in the healthcare industry: penetration testing and well-executed security awareness training.

  • Regular Penetration Testing – Penetration testing is not just about HIPAA compliance! You need to hire a good team of professionals with good practical skills. People who are able to run the tools  properly AND get their hands dirty with manual testing. People who will find any and all vulnerabilities. When you work on an assessment for a healthcare organization, you can find easy-to-exploit vulnerabilities more often which should not happen. A penetration test is not running some automated tools!
  • Proper Security Awareness Training – The second key point is security awareness: many incidents are paper-based or exploit information found on lost or stolen devices. Moreover breaches often happen because of data sharing on public cloud services. If employees understand the security implications of their actions, they will behave with security in mind.

Message to Healthcare Organizations

GiRa shares some final statements to the healthcare industry and establishing a healthy IT Security system.

“Cyber-attacks are a reality as much as diseases. IT security teams, secure IT infrastructures and awareness programs are your doctors, medical labs and vaccines.”


Davide Girardi gira

Davide “Gira” Girardi is a security researcher and instructor. He has 8+ years of experience in system hardening and security consultancy on Linux, Windows, OSX and mixed environments.

LinkedIn: https://www.linkedin.com/pub/davide-girardi/76/652/744


Tags: , , , , ,


  • Ed Sellers says:

    a good part of that cost figure likely includes mandated standardization and coding costs. coding is being out-sourced by many hospitals – targets for the hackers – and standardization makes all medical data instantly readable – and marketable. surprised? everyone saw that coming from day one.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go to top of page