The transition from paper to digital systems has been massive for healthcare organizations. The fact that medical records can be accessed (and updated) anywhere, anytime allows for improved coordination between hospitals, clinics, and specialists.
At the same time, however, storing this valuable data digitally has its challenges, not least the risk of hacks and data breaches. Hospitals, clinics, and health insurance companies aren’t immune to these threats. In fact, the sheer amount of sensitive data they hold makes them prime targets for bad actors.
Research from the HIPAA Journal shows that data breaches are on the rise. In 2022, there were 720 breaches involving more than 500 records – a figure that rose to 725 in 2023, exposing a total of 133 million records. One such breach, reported in 2024, saw Change Healthcare targeted in a ransomware attack believed to have impacted 100 million individuals.
It’s with this in mind that I’ll explore the three main reasons why hackers target medical records and, crucially, what you can do to protect your data.
Reason #1: medical data is valuable
It goes without saying that healthcare organizations such as hospitals deal with huge quantities of data. Every time a new patient is admitted, so too is valuable data such as their name, address, social security number, medical history, and health insurance details. This medical data has value in a monetary sense as well as an ethical one.
When you take this into account, it’s clear that we're not talking about tens or hundreds of thousands of records – but millions, all stored in a single system. These detailed records can easily be monetized by those who have the means as well as the know-how.
It's not like you can cut off or replace these records, either, like you can if your credit card number gets stolen. Permanent details like your social security number are valuable because they can be used for long-term fraud.
In fact, a cybercriminal has all sorts of available avenues when it comes to monetizing your stolen records. The most obvious of which involves selling the data on the dark web. Stolen data can also be used for all kinds of criminal activities including identity theft, medical fraud, or even for stalking and harassment campaigns.
Healthcare organizations are often targeted in ransomware attacks due to the fact that they rely so heavily on access to their systems and the data in question.
Indeed, if a hacker conducts a successful ransomware attack and gets their hands on medical data, the organization to which it belongs might just pay the ransom because of the sensitive nature of the records.
Reason #2: reliance on unsecure networks
Hackers know that some healthcare organizations can and will fall behind when it comes to maintaining the security of their systems.
A reliance on unsecure (or simply outdated networks) can leave these systems and the data they hold vulnerable to attack.
For example, a hospital may continue to use legacy systems that are no longer supported with security updates. There can be various reasons for this, be it due to their compatibility with medical devices or because of the time and cost required to upgrade.
It’s not just the direct vulnerabilities of a hospital’s systems either. If anything, there’s a broader ecosystem of risks which includes external influences. These risks include staff members who connect unsecure devices to a health organization’s network.
It's also worth noting that medical devices, like heart monitors and imaging systems, can connect to the network and create additional entry points for hackers. Third-party vendors who work with healthcare organizations also pose a risk if their own networks aren’t properly secured.
Reason #3: medical information needs to be shared
Treating patients is a team effort – and medical information needs to be shared across teams, specialists, and sometimes organizations. In fact, the sharing of medical information can extend even further beyond this to insurers, researchers, and even patients themselves.
Unfortunately, this makes it an easier target for hackers, who can lay in wait until a prime opportunity to intercept that data arises.
The more frequently data is shared, and the more organizations that it's shared between, increases the data's exposure. In turn, this heightens the risk of the data becoming compromised.
The urgency of a hospital environment can affect the privacy of data, too, with immediate access sometimes becoming more of a priority than best security practices.
What can you do to secure your data?
Unfortunately, you and I don't have a lot of control over how healthcare organizations manage their systems. Still, there are a few things you can do to ensure that your data is as safe as it can be on your own devices:
- Use a VPN: today's best VPNs encrypt your internet traffic and make it unreadable to any third-party snoopers – including greedy cybercriminals. This ensures that all your data, including the personal stuff, is beyond the reach of anyone trying to monetize it.
- Use multi-factor authentication: make sure you have enabled two-factor authentication (2FA) or multi-factor authentication (MFA) on all of your online accounts that allow it, especially those that contain sensitive data. MFA requires you to prove multiple forms of verification to access an account – reducing the risk of unauthorized access.
- Keep devices updated: these updates contain important security patches for your devices – so don't leave them hanging. They'll make sure that vulnerabilities are squashed that, if left unchecked, could result in your data being caught up in breaches.
- Don’t reuse passwords: you can help prevent potential credential stuffing attacks by using strong, unique passwords for each of your accounts. Try to avoid using personal information (no pet’s names!) and common phrases. Instead, use a mix of upper and lowercase characters, numbers, and symbols. The best password managers can help you remember them, too.
- Don’t click on suspicious links: phishing attacks impersonate people, apps, and organizations you trust, including healthcare services. The bad actor behind a phishing attack might send you a message (via email or SMS) that looks legitimate – and urgent. The aim is to get you to click on a suspicious link and hand over your personal details that they'll then use for their own nefarious ends.