Beyond the Golden Hour: Why healthcare is uniquely vulnerable to attack
Ransomware and other system interference attacks are dangerous because they risk patients’ lives, and attackers capitalize on this risk.
In my previous piece, I outlined the idea of the “Golden Hour” and the ways in which the need to prioritize patient care makes healthcare companies a prime target for attackers looking to make a quick score.
Healthcare is unique in that downtime doesn’t just cost organizations money — it risks lives. Imagine an anesthesiologist losing access to medication dosage records mid-surgery because of a ransomware attack, putting the patient at grave risk. Attackers know this, and they are more than willing to exploit it for their own gain.
But the Golden Hour isn’t the only thing that makes healthcare unique. The industry faces a wide range of challenges that make securing systems and data difficult. What’s more, healthcare faces regulatory scrutiny that outpaces most other industries, with HIPAA penalties hanging like the sword of Damocles over any organization at risk of a breach.
Building a digital architecture that is both secure enough to withstand attacks and usable enough to avoid disrupting patient care is no small task, and the safest path forward isn’t always clear. To effectively defend against today’s threats, it’s important for healthcare organizations to understand how modern attackers operate and why the industry is particularly vulnerable.
What makes healthcare unique
Two of the biggest factors for healthcare providers are the sheer size of their attack surface and the limitations vendor restrictions place on their technology stack.
A healthcare provider needs to secure servers, laptops, phones and other user devices, just like any other business. But they also need to protect medical equipment, patient databases, medical records, public WiFi networks, patient portals, secure facilities, narcotics storage and distribution, and more. Unfortunately, vendor lock-in is common in healthcare, and technology stacks, despite their sprawling nature, are often surprisingly created from the same cookie-cutter design. As a result, attackers know exactly where to focus their efforts.
To function, providers need to provide seamless integration with doctors across different facilities and practices, insurance companies, patient portals, payment providers and others — and they need to do it securely. Medical device manufacturers need to heavily test (and get approval for) any hardware or software changes — increasing cost and limiting the number of solutions healthcare institutions with which can integrate, slowing down vulnerability response at the device level.
A single compromised device or application has the potential to give attackers access to a wide range of systems, if sufficient protections are not in place. Unfortunately, the number of systems, devices, applications and integrations that the average healthcare provider needs to juggle creates no shortage of opportunities for security gaps, misconfigurations and other vulnerabilities.
Additionally, the 24/7/365 nature of hospitals and other healthcare settings means it can be difficult to find convenient times to take systems offline to remediate issues, even after a vulnerability is identified. The last thing a healthcare facility needs is a breach of patient records because an MRI machine wasn’t properly updated or a file transfer system has an unpatched vulnerability. Many organizations may not realize these seemingly small exposures can lead to wider breaches.
This isn’t just speculation — it’s fact. In 2022, a study found that more than half of Internet-connected devices in hospitals were vulnerable to attack, and the situation has not improved in the intervening years. In December 2023, the U.S. Government Accountability Office called poorly secured medical devices an “Achilles' heel and a blind spot for health systems,” and urged the Food and Drug Administration (FDA) to take action. And in early 2024, Change Healthcare suffered a catastrophic breach caused by the fact that a healthcare partner had failed to implement multifactor authentication (MFA) to protect critical systems. Roughly a third of Americans were impacted by the Change Healthcare breach, which underscores the fact that security failures in healthcare can impact millions of lives.
The financial impact of an incident
The widespread impact of healthcare breaches has led to the industry facing a unique regulatory burden. HIPAA violations carry severe regulatory penalties, and violators can be fined as much as $1.5 million per year — with some violators even facing the possibility of jail time.
Penalties of this magnitude can create a significant financial burden for healthcare providers — and that’s before accounting for any potential legal action that the victims of a breach may choose to pursue, not to mention reputational damage incurred as a result of the incident. If patients cannot trust that their information will be protected, they may choose to pursue treatment elsewhere. This underscores the fact that even if an attack does not cause injury or loss of life, the financial impact can be severe.
To date, the Office for Civil Rights (OCR) has applied a total of $142,663,772 in HIPAA penalties, with general hospitals and private practices among the most heavily penalized. But that’s only part of the story — according to IBM’s latest Cost of a Data Breach report, the average cost of a breach in the healthcare industry is nearly $10 million, which is almost $4 million more per breach than the next closest industry. The report notes that healthcare has been the costliest industry for breaches since 2011, underscoring the ongoing vulnerability of this critical sector.
It’s clear that as the digital transformation of healthcare continues and systems become increasingly interconnected, attackers are finding new vulnerabilities to exploit at an alarming pace. Look no further than the 2023 HCA Healthcare breach, in which more than 11 million records were compromised because of a poorly secured external storage location used to format email messages. It’s a sobering reminder that even nonessential applications can lead to a damaging breach.
A 'defense in depth’ approach
The Golden Hour provides cybercriminals with a unique form of leverage. A sprawling attack surface grants them seemingly endless opportunities to exploit exposures and misconfigurations.
And a heavy regulatory and financial burden puts healthcare providers under the microscope. How can organizations in the healthcare industry be expected to defend themselves from today’s advanced attack tactics without negatively impacting patient experience?
In Part 3, I will outline how healthcare industries can leverage a “defense in depth” approach to security, limiting their potential points of failure and making life as difficult as possible for attackers.
Nick Kathmann is the chief information security officer of LogicGate.