A recent New England Journal of Medicine article provides healthcare cybersecurity guidance.
If you think of keeping your healthcare organization’s data secure as an “administrative nuisance,” then you need to think again.
That’s the message of a recent Perspective article that appears in the July issue of The New England Journal of Medicine. The recent attacks against the National Health Service and a Pennsylvania-based organization highlight how cybersecurity needs to be at the forefront of industry leaders’ minds, the article authors wrote.
The threat against healthcare systems, they said, is mounting. Citing a study by the independent Ponemon Institute, the authors said that about 90% of surveyed healthcare organizations have experienced data breaches during the past two years, with 64% saying the attacks were directed toward medical files in 2016. That’s a year-over-year increase in medical-file attacks of 9%.
There’s a reason why medical files are especially valuable to hackers, the authors explained. That’s because the information contained in those files is “durable.” Unlike social security numbers, credit card numbers and insurance information can all be changed. A patient’s medical records cannot. This means hackers can sell this type of information at a premium. The authors cited the example of a hacker who sold 600,000 medical records on the dark web in June 2016.
Many of these attacks, the authors wrote, are of the denial of service (DoS) variety. Hackers behind DoS attacks often demand a ransom for the healthcare system to retrieve its data. They don’t necessarily result in exposure of patient data, but they usually derail business. Hollywood (California) Presbyterian Medical Center recently paid hackers $17,000 to free its data.
There’s also the possibility of outright manipulation of patient files and devices, the authors wrote. They cited a 2015 Food and Drug Administration (FDA) and the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team alert about an infusion system that could be controlled remotely by hackers.
So what should healthcare system administrators do? The authors have two recommendations:
Related
Data Breach at Neurological Clinic Highlights Threat Against Smaller Practices
How AI Could Thwart The Next Large-Scale Cyberattack
Cybersecurity: How the World Measures Up, Country by Country
Hospitals press Congress to make attacks on healthcare workers a federal crime
June 12th 2025Lawmakers in the House and Senate have introduced legislation to give hospital employees protections similar to those in the airline industry. Previous bills haven’t made it through Congress, but advocates hope for a different outcome.