Cybercriminals have their sights set on healthcare organizations, and the stakes are rising. The average cost of a healthcare breach hit $9.8 million in 2024, topping all other industries for the 14th year in a row. And these aren’t just statistics. Behind every breach is a hospital struggling to stay operational, patients facing uncertainty, and vulnerable systems containing some of the most sensitive information.
Why Is Healthcare Such a Prime Target for Cyberattacks?
Simply put, healthcare is a target-rich environment. Hospitals store a wide range of sensitive data—Protected Health Information (PHI), financial data, credit card details, banking information, social security numbers, insurance numbers, and medical record numbers—all of which are highly valuable to cyber criminals.
But it isn’t just the value of the data that makes hospitals the perfect target. Hospitals are critical infrastructure. When systems go down, procedures stop, patient care is delayed, and lives are at risk. From the hacker’s perspective, that makes hospitals more likely to pay ransoms quickly, and when they do, it reinforces the criminal business model.
We’re also seeing a rise in synthetic identities, where multiple data points, both real and fictitious, are combined to create a convincing but entirely fake profile. Using these synthetic identities, fraudsters can file false insurance claims, obtain treatment, and even gain access to drugs under false pretenses. These are difficult to detect and complicate everything from billing to breach response.
On top of that, technology in healthcare is evolving fast. Tools like ambient listening and automated assistants are entering clinical spaces. While they offer a vast array of benefits in clinical practice, they can also inadvertently collect sensitive information in ways staff may not expect, especially if they haven’t received awareness training.
Why Traditional Security Just isn’t Enough
It is vital that we augment “traditional” security measures like firewalls and passwords. While these tools are still critical to securing an organization’s infrastructure, today’s threat landscape demands a more comprehensive, layered approach to security.
Take phishing attacks, for example. These attacks were previously riddled with typos and easy-to-spot, unaffiliated domain names. Now, attackers scrape information from social media and use AI to craft messages that look exactly like a legitimate business email from your colleague or someone else you know.
Technology is advancing rapidly—for both defenders and attackers. But unlike machines, people can be inconsistent. Fatigue, stress, or simple oversight can lead to mistakes, like clicking a malicious link in a seemingly routine email. These human errors are a major entry point for breaches. That’s why security awareness training remains essential: despite technical solutions, employees are still the first line of defense against cyber threats.
The Call Is Coming from Inside the House
That brings us to Zero Trust Architecture (ZTA), which takes nothing for granted. It’s like that Gen X horror movie line, “The call is coming from inside the house.” That’s the principle. ZTA doesn’t assume that a request is safe just because it comes from inside the network.
ZTA ensures that access requests are authenticated, authorized, and continuously verified, regardless of their origin. That includes:
- Micro-segmentation of networks to isolate payment systems and prevent lateral movement.
- Strong authentication protocols that go beyond usernames and passwords.
- Continuous monitoring and real-time response to behavioral anomalies, like suspicious access times and large data transfers.
These tools help build a system that’s resilient rather than reactive.
Protecting Payment Data from the Moment it’s Captured
Patients are especially concerned about their financial data, and for good reason. Nearly 60% say they’re worried about healthcare payment security, and almost a third have already received a breach notification from a provider.
As serious as this is, one simple principle can help to mitigate the risk. Don’t store what you don’t need. Minimizing interaction with “regulated” data decreases the potential attack surface within an organization and minimizes the number of “targets” in the environment.
Encryption can protect data from the moment a card is tapped or swiped so it doesn’t traverse or get stored on the hospital’s network. Some payment systems even go one step further, replacing the data with a billing ID or token, which is useless to hackers.
This approach doesn’t just improve security. It significantly reduces your PCI DSS compliance scope. If you’re not storing, processing, or transmitting cardholder data, your compliance requirements shrink dramatically. That’s a major win for hospitals.
Keep it Easy for the Patient
Of course, security isn’t the only concern that patients have. They want to “pay and go,” but they also want their data protected. So, how do we strike the balance?
One answer is to work with security-forward vendors who bake protection into their payment solutions and:
- Embed secure payments into Electronic Health Record (EHR) portals so patients can view records and pay bills in one place.
- Allow patients to store a tokenized card on file for quick checkouts.
Support modern, secure payment options such as PayPal, Venmo, and digital wallets. These platforms often offer enhanced security features, helping reduce risk. Security and usability aren’t mutually exclusive. You can have both.
Whatever You Do, Don’t Set it and Forget it
If there’s one mistake I see too often, it’s assuming that once a program is in place, it’s “done.” But security is not set-it-and-forget-it. Threats evolve constantly, particularly with the advancement of AI. That’s why you must assess risks and update your programs regularly. Ideally, these assessments occur annually and whenever there is a significant operational or regulatory change. Real-time analytics and AI-based behavior monitoring can also provide value here, flagging emerging risks before they become incidents.
The Golden Rules of Data Protection
Cyber threats are constantly evolving, and so can we. The right mix of tools, training, and vigilance will protect what matters most: patients and their trust.
And at the end of the day, it comes down to a few simple best practices.
- Treat patient data the way you’d want yours treated.
- Don’t store more data than you need.
- Educate and train everyone—regularly; people play a critically important role in the protection of data.
- Choose vendors wisely.
And, of course, never assume that a good solution today will be good enough tomorrow.
Join our LinkedIn group Information Security Community!
