Security breaches in hospitals and the healthcare sector

A few weeks ago, we published an article discussing the importance of cybersecurity in the healthcare sector due to the increase in cyberattacks targeting this industry, reviewing the most common types of malware that can affect healthcare centers, hospitals, pharmaceutical companies, or biotech firms. In this article, we want to expand on that information by examining the most frequent vulnerabilities and weak points in healthcare IT infrastructures, which can become the main cause of a virus entering a system, paralyzing operations and putting stored information at risk.

A 2022 study by Cynerio revealed that 53% of connected medical devices (IoMT) contain critical vulnerabilities that could compromise the IT security of a healthcare institution.

But…

What IT vulnerabilities should the healthcare sector address to prevent cyberattacks?

Outdated software

Outdated software is one of the main causes of malware entering an IT system. Updates are improved versions of a system’s functions, including cybersecurity measures. New cyberattacks appear every day and are becoming increasingly sophisticated. The more technology evolves, the more cyberattacks evolve as well. Each update includes specific security measures, but these can quickly become obsolete when a new attack emerges, known as a zero-day attack. That’s why it’s important to always have the latest system version and perform updates as required.

The same applies not only to software but also to applications and programs, such as Windows. Updates are not meant to be inconvenient—they exist to ensure proper operation, performance, and security.

Obsolete data storage methods

Using Excel or outdated software can be a security risk, as these tools may not meet current needs. In healthcare centers, data collection is typically done through forms. Historically, this data was managed using Excel or very basic programs with limited IT security. Larger institutions updated their software and data storage methods years ago; however, smaller centers often do not follow required security protocols or use state-of-the-art tools that ensure higher information security.

Lack of anti-phishing measures

Phishing is one of the most commonly used methods by cybercriminals and has a high success rate for infecting IT systems. The problem with this type of attack is that it usually occurs due to human error—such as a staff member clicking a malicious link or downloading an infected file—which allows phishing malware to enter a computer and spread quickly to other devices in the organization.

When this happens, hospital or healthcare center operations are affected, potentially halting consultations or forcing the postponement of surgeries and appointments. This creates a serious risk to patient health, which could be prevented by implementing anti-phishing solutions to filter emails.

Failure to perform regular system monitoring

One of the main tasks of any company’s IT department, whether in healthcare or another sector, is to periodically monitor IT systems to ensure proper operation and performance. This is a technical task that requires time and is sometimes neglected due to time constraints.

Not having a cybersecurity specialist on staff

Having an IT technician does not necessarily mean they are knowledgeable in IT security. They may have some understanding, but cybersecurity is a completely different specialization within IT. Having a cybersecurity expert ensures that the healthcare center’s IT infrastructure is properly managed and that cyberattack risks are minimized. Cybersecurity professionals specialize in identifying vulnerabilities, weak points, and system breaches and implementing the best solutions to address them. Not all security solutions are suitable for every system or protect in the same way. Each infrastructure is different, so the measures implemented must be tailored to each one.

Lack of staff awareness and training

Non-technical users or those not accustomed to working with new technologies, beyond email or Microsoft tools, may not be aware of current IT security threats. This lack of knowledge can be disastrous, as employees are more likely to fall victim to cybercriminal tactics, such as identity theft.

Cybersecurity training is essential to prevent human error, enabling healthcare staff to detect threats in time.

Absence of multiple backup copies

To ensure data security and allow for quick recovery in case of loss, it is recommended to maintain more than one backup, updated frequently. The lack of updated backups increases the likelihood of losing critical information.

Need help minimizing the risk of a cyberattack? At ESED, as cybersecurity specialists who have worked with various companies in the healthcare sector, we understand the importance of security in healthcare. That is why we use an ethical hacking strategy consisting of two practices: ESED Attack, which involves launching controlled attacks on a system to assess its cybersecurity level.