Hospitals Must Treat Patient Data and Health With Equal Care

All companies are under the data privacy compliance gun — but healthcare companies have a target on their backs.

Scott Allendevaux, Senior Practice Lead, Allendevaux and Company

January 11, 2024

4 Min Read
Stethoscope sitting on a laptop
Source: Piotr Adamowicz via Alamy Stock Photo


Hospitals are in the crosshairs: As collectors of some of the most personal and sensitive data available, hospitals are a prime target for hackers and cyberattacks. With potential regulatory penalties soaring, cybersecurity is becoming core to their entire healthcare delivery mission. Patient data needs to be treated with as much care and sensitivity as the patients themselves.

Nearly every activity in the modern world leaves behind digital footprints: what we did, where we were, and who we interacted with. But none of them are as personal as the documentation of our medical history.

As a whole, the healthcare industry is a gold mine of sensitive data, with information ranging from relatively simple billing and credit card data to in-depth medical history and treatment information. Hackers can use this data to impersonate people, infiltrate their social networks, and steal their information and finances.

As a result, hospitals are a prime target for cybercriminals; 88% of healthcare organizations reported experiencing some sort of cyberattack, and an estimated 10% of Americans have had their personal health information exposed in a healthcare-related breach.

It's not at all uncommon for hospitals to be shut down or incapacitated by highly planned and well-executed attacks. In the mildest cases, these attacks are breaches that expose patient data; in the most severe cases, hospitals are held literally hostage, unable to render lifesaving care to their most vulnerable populations. In November, emergency rooms in New Jersey were forced to turn away patients amid a cyberattack, while an attack in August took down emergency rooms nationwide.

A Scary and Costly Trend

It's a frightening trend that's costing the US healthcare system billions of dollars.

Reports estimate that the average cost of each attack is close to $5 million dollars per hospital and can include hundreds of thousands of dollars in fines from regulators. To do the math, in just the first six months of 2023, the Identity Theft Resource Center tracked 379 healthcare compromises. These attacks also come with significant reputational damages, and increasingly, lawsuits from victims whose data was exposed.

Hospitals are stuck in an ever-expanding game of cat and mouse with hackers. The last few decades have seen the digital footprint of hospitals and healthcare administrations expand as treatment has evolved, first through the regulation of digital medical records then through the explosion of telehealth. Even hardware-based medical advancements like implanted technologies have increased hospitals' digital surface area.

With every digital expansion, a hospital system's vulnerability increases: the amount of data that the hospital is responsible for increases, and the number of attack vectors for hackers increases. It is a cybersecurity nightmare.

How Hospitals Can Better Protect Patient Data

Hospital administrators need to be aware of the scope of vulnerabilities in their system — from doctors and nurses, to third-party contractors, to hospital equipment manufacturers and programmers. Without the proper redundancies in place, every individual who can touch data represents a potential access point for a data breach or hack.

Protecting a healthcare system requires a ground-up approach to data security culture. As much as hospitals value patient care, they must also value patient data privacy and protect it with everything from back-end infrastructure systems (like having distinct networks for various hospital functions) to in-person learning and testing.

A healthy security system should establish a comprehensive data protection program through the lens of what security experts call the CIA triad:

  • Confidentiality: Is confidential information being safeguarded to ensure it doesn't end up in the wrong hands?

  • Integrity: Are there established measures and systems to thwart unauthorized data changes and processing?

  • Availability: Will critical healthcare services and facilities remain operative to healthcare professionals and patients that depend upon them?

Additionally, hospitals should be doing more to bring everyone into a culture of security. Doctors and nurses who are regularly trained on new health trends and advancements are less likely to be aware of the threats they face from something like clicking on a phishing email.

Hospitals should also run regular vulnerability scans and penetration tests to check that their systems can withstand cyberattacks or human error. Federal standards like the NIST Cybersecurity Framework provide guidelines for hospitals to configure systems according to best practices and benchmark security postures on a regular basis.

Critically, hospitals and healthcare systems need to do a better job of creating a system of sharing: sharing best practices, sharing threat intelligence, and sharing issues. Bolstering the collective information available to the "good guys" helps improve the overall defenses of our healthcare infrastructure.

Hospitals as Data Privacy Defenders

Hospitals stand on the front lines, not just in battling diseases and ailments, but also in safeguarding the sensitive and crucial information of every patient they serve. As guardians of this vital data, they must forge stronger defenses, cultivate a culture of vigilance, and foster collaborations that enhance collective cybersecurity intelligence.

Ultimately, by implementing a proper data protection program of policy and practice, hospitals will not only protect the invaluable data entrusted to them but also uphold the integrity and trust that form the bedrock of patient-caregiver relationships. This enhanced protection is crucial for healthcare institutions to remain unwavering bastions of care, trust, and safety in an increasingly interconnected and vulnerable digital landscape.

About the Author(s)

Scott Allendevaux

Senior Practice Lead, Allendevaux and Company

As a Practice Lead of Law and Policy at Allendevaux and Company, Scott Allendevaux assists multinational organizations achieve complex compliance obligations in the areas of data protection and privacy law. He has over nine years of experience in developing and implementing data protection programs that align with international standards and frameworks in addition to overseeing teams that bring together legal and technical competencies to deliver solutions that meet the needs and expectations of clients.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights