Are Healthcare Nonprofits More At-Risk of Cyber Attacks?

By Devin Partida, Editor-in-Chief,
Twitter: @rehackmagazine

Unlike other sectors where nonprofits serve lower-income populations, health care nonprofits usually serve people with higher-than-average incomes and they tend to have strong financial resources. They’re also far more common than for-profit hospitals. Therefore, nonprofit health care organizations may be more at risk of cyberattacks, if for no other reason than chance alone.

What Makes a Good Target?

Cybercriminals look for two main qualities in their victims — wealth and vulnerability.

Wealth includes money itself, of course, but personal data is also a goldmine — hackers can exploit it to access people’s bank accounts. Health care organizations are highly profitable and store vast troves of sensitive information, including people’s names, credit card numbers, addresses, birthdays and Social Security numbers.

The health care sector is also notorious for lagging behind when it comes to online security measures. In fact, a 2020 Healthcare Information and Management Systems Society (HIMSS) survey found health care organizations spend 6% or less of their IT budget on cybersecurity.

Why Health Care Suffers Heavy Losses

The combination of wealth and poor cybersecurity makes all health care organizations — for-profit and non-profit, alike — prime targets for hackers. In 2020, the health care sector incurred the highest average data breach costs of any industry at $7.13 million per attack, a full 10% increase compared to 2019. It has held this unfortunate claim to fame since 2010.

Hackers can earn huge windfalls from a single attack, and out of all companies that suffer financial losses due to a security breach, almost 40% of them lose at least a fifth of their earnings. Data breaches also mean patients can lose their privacy and trust in the health care system.

There are far more non-profit than for-profit hospitals in the U.S., so hackers are statistically more likely to attack a nonprofit. Although their name implies lower funds, nonprofit health care organizations have deep financial reserves, and they simply have to reinvest their profits rather than line the pockets of stakeholders. What can they do to protect themselves and their patients against cybercrime?

Preventive Measures

First, health care nonprofits should invest more of their IT budget in cybersecurity. The extra funds will allow security teams to conduct more thorough cybersecurity risk assessments, helping hospitals recognize the likelihood of data breaches and how damaging they would be. A greater cybersecurity budget would also help implement stronger security control measures.

It’s crucial that health care organizations educate their entire staff about data protection. Many staff members have access to a computer and input patient data throughout the day. In addition to the IT department, doctors, secretaries, nurses and maintenance workers need to be briefed on cybersecurity best practices.

If employees use personal cell phones in the workplace, the IT department should take steps to secure these devices to avoid widespread network breaches. Home devices connected to the network can introduce malware.

Another step to prevent cyberattacks is by encrypting all data. Patient files and payment records contain highly sensitive information, so staff must store them in an encrypted system. Only certain staff members should have administrative network access. When admins rank files according to their sensitivity, only approved individuals will be able to access the most sensitive data. Other staff members must ask permission to view individual files.

Additionally, healthcare IT departments should utilize alarms to inform them about potential data breaches. Unusual network activity like an unknown login location, system use at odd hours or repeated password attempts can trigger alerts.

A Growing Threat

Few organizations have as much at stake as health care providers. Although nonprofits may be more at risk of cyberattacks than for-profit organizations, the entire health care sector must take steps to improve its lackluster security or risk falling victim to devastating data breaches. The health and safety of patients is on the line.