Healthcare Cybersecurity | How to Strengthen Defenses Against Cyber Attacks

Threat actors are no strangers to targeting critical sectors to get what they want and the healthcare industry has long worn a target on its back. Exacerbated by the COVID-19 pandemic and its subsequent variants, hospitals and clinics have seen alarming rates of attacks in recent years with more incidents directly leading to patient endangerment.

A recent study found that cyberattacks have significantly strained healthcare providers, resulting in the following:

  • More than 20% of providers surveyed reported experience with common attacks including cloud compromise, ransomware, supply chain, business email compromise (BEC), and phishing
  • Cyberattacks have caused delayed procedures and tests, increased complications in care, and longer patient stays for 57% of the providers surveyed
  • Cyberattacks have cost an average of $4.4 million in 2022 with productivity losses totalling $1.1 million

Life-critical services and patient care are at stake when threat actors take aim at healthcare organizations. This post explains why hospitals and clinics of all sizes are so susceptible to cyberattacks and what CISOs and technical leaders can do to build up their cyber defense strategies.

Understand the Shifting Nature of Ransomware

Medical service providers present two attractive opportunities to financially-motivated cybercriminals: service disruption and data theft.

Exploiting the Fear of Service Disruption

Over the past few years, ransomware attacks have been the direct cause of many major disruptions in healthcare service. By locking out medical staff from accessing their critical tools and databases, ransomware has been responsible for canceled surgeries, delayed cancer treatments, and even an ongoing lawsuit on what is being called the first death by ransomware. In November 2022, for example, the Brooklyn hospital group was thrown into chaos as services were disrupted across its patient care facilities in the wake of a cyber attack.

Victims from this sector are reportedly most likely to pay the ransom with 61% of providers having paid out compared to an average of 46% from other industry verticals. Ransomware operators know that medical facilities face devastating consequences should they lose access to their systems.

Though CISA and law enforcement groups have issued warnings against paying ransoms, each minute without access can result in extremely dangerous situations for patients needing care. As such, threat actors continue to beleaguer hospitals, long-term care facilities, private clinics and more, marking them as high-profile targets.

Medical Data Is In High Demand

Some ransomware threat actors have understood that service disruption can be minimized by organizations that implement a good backup and disaster recovery model. File-locking can be devastating to the unprepared, but it can be mitigated against with a degree of planning.

However, hospitals and clinics especially hold mass amounts of sensitive data on their clients – data that is easily sold on dark marketplaces and used for identity theft and fraud.

The high worth  of private patient information ranging from contact details and social insurance numbers to payment data and Protected Health Information (PHI) has driven up the rate of attacks on healthcare organizations.

Attacks on healthcare from a data theft point of view has become a fast growing issue, with 297 known attacks occurring last year. In one incident in October 2022, Hive ransomware operators stole sensitive files from LCMHS (Lake Charles Memorial Hospital) belonging to 270,000 patients. The stolen data included medical records, health insurance information and payment information. Some patients’ social security numbers were also exposed.

Payment data like credit card numbers can be frozen and replaced, but medical history such as test results, diagnoses, and treatment plans cannot be removed or canceled. This data, in the hands of an opportunistic threat actor, can mean long-reaching damage for affected patients. When private health data is hacked, victims may find themselves at the mercy of targeted ransom demands and blackmail attempts.

Recognizing that data extortion can be both more profitable and less resource-intensive, some threat actors have moved to extortion-only methods. Disaster recovery plans cannot mitigate this threat, and effective defense requires having trusted security software in place that can prevent and detect initial access before data is stolen.

Outdated Systems Bear Many Low-Hanging Fruits of Access

For threat actors, outdated environments and lack of advanced security features spell opportunity for breach. In a notification to medical provider leaders, the FBI highlighted the risk that older, unpatched medical devices bring to digital systems used in hospitals and clinics.

Due to the highly specialized nature of technology in healthcare, the high cost of implementing and maintaining new systems hinders many small and medium-sized providers from upgrading regularly. Many healthcare organizations must work within limited budgets and may not have prioritized the need to update older systems.

However, when the security angle is factored into the intrinsic value of such equipment, there’s a strong argument for reassessing budgetary priorities in favor of accelerating the retirement of outdated and insecure systems.

Digitalization Doesn’t Always Translate to Full Adoption

Digital transformation in the world of health care can be very disruptive. Since the health sector is characterized by a high degree of specialization, medical professionals and organizations oftentimes work in silos.

Software introduced to solve one problem at one facility may cause issues elsewhere in the workflow; especially if they are working in collaboration with a facility that is operating on an incompatible platform. A lack of integration with existing systems can create problems with patient safety and security of medical records while bringing down staff productivity.

Reducing risk from the plethora of devices, operating systems and software in use across the organization is not a simple one-step operation, but the emergence of open XDR technology is leading to answers to problems that older technologies like SIEMs and SOARs attempted but failed to address.

Regulatory Compliance Is Ever Changing

Healthcare providers shoulder a heavy responsibility when it comes to balancing the protection of patient privacy, complying with HIPAA, GDPR, and other regulatory frameworks, and providing quality care. Cyber criminals have rushed to take advantage of providers who may have few resources and budget to juggle all of these requirements on the day-to-day.

The regulatory compliance industry is often changing, and can become a complex undertaking for even the better-funded medical service providers. In recent years alone, digitalization and the reality of COVID-19 have changed regulatory requirements, adding new and updated controls that could take a healthcare organization upwards of months to years to implement properly.

As new attack surfaces and threats arise in the cyber landscape, regulatory frameworks also adjust, making compliance a moving target for organizations in the healthcare industry.

Healthcare providers now using cloud services to securely store data in a compliant way should understand the shared responsibility model and look for cloud protection solutions to ensure that no doors are being left open.

How SentinelOne Can Help Boost Medical Service Providers Defenses

Get Streamlined Security Solution on the Device Level

Having a wide array of Internet-of-Things (IoT) devices combined with lengthy patch cycles leave endpoints vulnerable to cyberattack. As the medical service industry slowly continues to modernize their systems and tools, smart devices, laptops, and machines all add to the growing attack surface available for threat actors to exploit.

SentinelOne’s Singularity Ranger offers a simple, straightforward security solution that can protect on a device or endpoint and ensure that a full inventory of everything on a network is protected in real-time.

Rely on Frictionless Security Operations & Threat Resolution

In-house cybersecurity experts are hard to come by in the healthcare provider industry. During a potential security event, having a team of experts to analyze, triage, and neutralize any threat means providers and medical staff can continue their operations with less disruption. By preventing the initial attack from occurring, providers can protect patient and staff records, avoid delays in life-saving medical care, retain patients, and ensure no reputation-damaging downtime.

Vigilance Respond is a  24/7/365 monitoring detection and response service offering an expert team to continuously monitor an environment for early indicators of compromise (IoC). Stop signs of lateral movement before it can develop into a full blown cyber crisis.

Protect Cloud Workloads

To meet the most up-to-date regulatory requirements on data protection, many healthcare providers rely on cloud environments to store, manage, and transmit their patient’s PHI.

To get ahead of threat actors, hospitals and clinics using cloud services must fully understand how the services are being implemented and maintained. Singularity Cloud ensures visibility within the cloud so providers can see how file sharing is being done, what type of data is being stored, and what applications are connected.


As the future of healthcare moves steadily towards the digital, threat actors have seemingly locked in their sights on medical service providers globally. Organizations can’t afford to wait for the next attack, so prevention and visibility are the main goals as CISOs in this sector set out to protect patient PHI and ensure continuous care for those in need.

The responsibility of data security, complexities of regulatory compliance, risks with IoT, and the high value of PHI place CISOs in the midst of a changing threat landscape where the consequences can, at the extreme, affect patient lives.

The state of healthcare organizations do not have to remain precarious, though, and CISOs and technical leaders can work to strengthen their cyber security posture against data breaches and ransomware attacks. By implementing a single, robust security platform, providers can ensure transparency across all their critical endpoints and protect sensitive patient data from being compromised.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.