Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Leadership and ManagementLogical SecuritySecurity Education & TrainingHospitals & Medical Centers

4 common cybersecurity flaws in healthcare organizations

By Hoala Greevy
healthcare worker on computer
January 18, 2022

Cybersecurity is more than meets the eye. Proper security contains several layers, including adequate training and technology, to meet HIPAA compliance guidelines. Healthcare organizations are responsible for implementing robust cybersecurity strategies to prevent cyberattacks.

The healthcare industry claims to prioritize cybersecurity efforts, yet 18% of organizations allocate only 1-2% of their IT budgets to cybersecurity. Covered entities who choose not to prioritize proper cybersecurity leave themselves vulnerable to increasingly prevalent cyberattacks.

Healthcare-related cyberattacks can be attributed to several factors. A lack of employee training increases the likelihood of human error, and portal-based communication is only as secure as a patient’s email account. Neglecting two-factor authentication makes it easier for a hack to occur, and not having a business continuity plan affects an organization’s ability to recover. Here are four aspects that leave healthcare organizations vulnerable to attacks.

Inadequate cybersecurity training

Employees are often unaware of their role in data breaches, making them one of an organization’s most prevalent security risks. In fact, human error accounted for 33% of healthcare breaches in 2020 alone. A lack of proper cybersecurity training places a target on healthcare organizations big and small.

HIPAA encourages covered entities to train employees how to recognize, report and respond to cyberattacks. A recent study by The Advanced Computing Systems Association found that with proper training employee threat detection rates increased nearly 20%. Yet, while the average healthcare professional receives 12 years of training before entering the field, 32% of employees claim they never received cybersecurity training from their healthcare system.

Healthcare providers must protect their network with ongoing cybersecurity and HIPAA compliance training, including lessons on recognizing cyber threats and keeping protected health information (PHI) secure. With proper training, employees are more likely to identify and respond to attacks, such as display name spoofing or phishing emails containing ransomware, before it’s too late.

Using portal-based email

HIPAA requires healthcare providers to safeguard electronic protected health information (ePHI). With this in mind, healthcare professionals often rely on patient portals to send and receive ePHI. Not only do portals make it more difficult for patients to access messages from their provider, but security depends on the users as well.

Patient portals work by keeping communication between provider and patient within a portal’s boundaries. The sender and receiver must log into the platform to read and respond to messages from their doctor. Keeping ePHI behind a portal’s walls can protect information from common cyberattacks, but hackers know about the various ways providers share ePHI with their patients. Suddenly, the target shifts from provider to patient. A patient’s ability to keep logins and passwords safe is key.

More than 60% of people admit to regularly reusing passwords across multiple sites, which enables hackers to infiltrate multiple accounts with one stolen password. According to the Verizon 2021 Data Breach Investigations Report, 61% of breaches result from compromised credentials. 

One option for security professionals within healthcare is to advocate for communication with patients regarding password privacy and security measures.

Instead of placing the weight of keeping ePHI secure on patients, another option is for healthcare providers to leverage email encryption to send HIPAA compliant email. Email encryption can ensure the safety of ePHI in transit and at rest and eliminates the need for logins and passwords.

Neglecting two-factor authentication

A security feature like two-factor authentication (2FA) can seem cumbersome and unnecessary, but skipping a second step to verify user identities leaves passwords, patient information and organizations vulnerable to cyberattacks.

According to a recent Google study, only 37% of Americans use 2FA. And last year, Microsoft attributed a lack of multi-factor authentication to more than 99.9% of compromised accounts. A lack of security increases the likelihood of network security breaches.

2FA is one of the most effective ways to reduce risk and safeguard PHI against cybercriminals, as it requires a user to confirm their identity twice. Security questions and PINs are common tactics. Having 2FA requirements makes it difficult for a cybercriminal to gain unauthorized access to an account and, in turn, an entire organization.

Not having an attack strategy 

A healthcare organization’s goal is to minimize risk and avoid becoming a victim of a cyberattack, but not all security strategies are airtight, and providers must know how to react if hackers compromise patient data.

The average time to contain a healthcare-related data breach is 287 days, 75 of which an organization spends attempting to stop the attack and control the damage. Since January 2021, the average healthcare data breach has cost providers approximately $9.32 million per incident. This estimate does not include fees levied by the Office for Civil Rights for HIPAA violations. Time and money spent on resolving a breach can significantly impact a provider’s ability to serve a community and its patients. 

With more than 2,200 cyber attacks happening each day, providers must establish a business continuity plan (BCP) before falling victim to a breach. A BCP is a process for covered entities to discover, avoid and mitigate system risks and often includes a disaster recovery plan if a breach forces a network out of service.  

To establish a BCP, providers must:

  • Oversee a business impact analysis (BIA) to identify the impact of a cyberattack, such as lost income, spending increases and customer dissatisfaction 
  • Determine how an organization can and will operate at a minimal level if a breach were to occur
  • Devise a disaster recovery plan to restore systems and evaluate the immediate impact    

Understanding how an organization will respond during an attack makes it easier to restore operations and networks and focus on a swift and efficient recovery process.

Twenty-four million Americans had their PHI stolen in 2020 as a result of 505 reported healthcare data breaches. Organizations that neglect to enhance their cybersecurity measures will only add to the number of data breaches now and later. By diligently training employees, enforcing 2FA, leveraging email encryption and preparing an attack strategy, organizations can better prepare to address the ever-present threat of cyberattacks and protect their ability to serve their patients.

KEYWORDS: cyber attack cyber security initiatives data breach costs email spam health care security healthcare cybersecurity patient safety two-factor authentication

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Hoala Greevy is the Founder and CEO of Paubox. Greevy has 22 years of experience in the email industry, dating back to his first job out of college at Critical Path in San Francisco in 1999. Prior to founding Paubox, Greevy started Hawaii's first Software as a Service (SaaS) company, Pau Spam, in 2002. Greevy holds two patents related to email security and graduated from Portland State University with a B.S. in Geography and Social Sciences.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber security network graphic

    4 cybersecurity threats that organizations should prepare for in 2022

    See More
  • Doorway to Cybersecurity

    Cybersecurity Skills Gap Leaves 1 in 4 Organizations Exposed for Six Months or Longer

    See More
  • Nurse points to medical device

    A 3-step approach for healthcare organizations to elevate cybersecurity

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing