Healthcare Cybersecurity: Risks and Solutions

Cybercrime costs the U.S. economy billions of dollars each year—and healthcare organizations are the most frequently attacked form of business.1 In fact, in 2017, more than half of all cyberattacks were directed against the healthcare sector.2 Cybercriminals target healthcare for two main reasons: Healthcare organizations fail to upgrade their cybersecurity as quickly as other businesses, and criminals find personal patient information particularly valuable to exploit.

Cybersecurity and Data Breach Guide

Learn strategies to:

  • Prevent a cyberattack
  • Monitor your security
  • Respond in the event of breach


How Cyber Breaches Happen

The theft of unencrypted electronic devices or physical records is the most common method of breach, accounting for 29 percent of breaches across all industries in the United States.2 Also common are hacking (23 percent) and public distribution of personal records (20 percent).

Cybersecurity is no longer just an IT issue—every employee needs to do their part. 95 percent of successful breaches occur because an employee clicks a bad link.


Ransomware attacks, where a business or individual’s computer system is held hostage by cybercriminals, are also on the rise in hospitals and medical practices. Preparation and prevention is key for these type of attacks—if not prepared, a hospital system will only have two options: pay or lose patient information.


The Repercussions of a Breach

The repercussions of security breaches can be daunting. A business that suffers a breach of PHI must report the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). This is the federal body with the power to enforce the Health Insurance Portability and Accountability Act (HIPAA) and issue fines. To date, the OCR has levied over $78 million in fines3—more than tripling the $25 million in fines it had levied as of 2014.4 In 2017, U.S. healthcare data breaches cost companies an average of $380 per record—the highest of any industry.5

A healthcare organization’s brand and reputation are also at stake. The OCR maintains a searchable database (informally known as a “wall of shame”) that publicly lists all entities that were fined for breaches that meet the 500-record requirement.6

Beyond the financial and security risks, cyberattacks can also compromise patient safety and quality of care.


How to Protect Your Practice

  • Identify all areas of potential vulnerability. Develop secure office processes, such as:
    • Sign-in sheets that ask for only minimal information.
    • Procedures for the handling and destruction of paper records.
    • Policies detailing which devices are allowed to contain PHI and under what circumstances those devices may leave the office.
  • Encrypt all devices that contain PHI (laptops, desktops, thumb drives, and centralized storage devices). Make sure that thumb drives are encrypted and that the encryption code is not inscribed on or included with the thumb drive. Encryption is the best way to prevent a breach.
  • Train your staff on how to protect PHI. This includes not only making sure policies and procedures are HIPAA-compliant, but also instructing staff not to openly discuss patient PHI.
  • Audit and test your physical and electronic security policies and procedures regularly, including what steps to take in case of a breach. The OCR audits entities that have had a breach, as well as those that have not. The OCR will check if you have procedures in place in case of a breach. Taking the proper steps in the event of a breach may help you avoid a fine.
  • Insure. Make sure that your practice has insurance to assist with certain costs in case of a breach.


Free Cybersecurity CME

Learn how to reduce the chances of a data breach or cyberattack at your practice.


Watch Case Studies

Additional Cybersecurity Resources

American Hospital Association
Cybersecurity Resources

National Institute of Standards
Cybersecurity Framework

Security Risk Assessment

U.S. Department of Health and Human Services
Addressing Gaps in Cybersecurity: OCR Releases Crosswalk Between HIPAA Security Rule and NIST Cybersecurity Framework.

DHHS Office for Civil Rights
HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework


  1. Top 5 industries at risk of cyber-attacks. Forbes. May 13, 2016. Accessed July 16, 2018.
  2. Giandomenico A. Identifying security priorities to address new healthcare cyber threats. CSO. June 29, 2018. Accessed July 16, 2018.
  3. Enforcement results as of May 31, 2018. U.S. Department of Health and Human Services Website. May 31, 2018. Accessed July 17, 2018.
  4. McCann E. Hospitals fined $4.8M for HIPAA violation. Government Health IT. May 9, 2014. Accessed July 16, 2018.
  5. Snell E. Healthcare data breach costs highest for 7th straight year. Health IT Security. June 20, 2017. Accessed July 17, 2018.
  6. Breaches affecting 500 or more individuals. U.S. Department of Health & Human Services Website. Accessed July 17, 2018.

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.


Cyber Liability Protection for Members

Medical malpractice insurance from The Doctors Company automatically includes CyberGuard® cyber liability coverage, which protects doctors against regulatory and liability claims arising from the theft, loss, or accidental transmission of patient or financial information, as well as the cost of data recovery.

Stay in the Know

Sign up for The Doctor’s Practice.

Our e-newsletter features timely articles, videos, and guides on a range of patient safety topics.


Follow us: Follow The Doctors Company on Twitter Watch The Doctors Company on YouTube The Doctors Company on LinkedIn Like The Doctors Company on Facebook

© The Doctors Company. All rights reserved. Legal Notices and Privacy Policy | Glossary of Insurance Terms