For medical professionals, data saves lives. For hackers, data drives profits. When one has the data, however, the other does not. This ongoing battle for access keeps healthcare providers on their toes. Cybercriminals are relentlessly trying to grab everything from your patients’ protected health information (PHI) to your email credentials to your organization’s financial records. And while the explosion of endpoints across the industry has made it easier for you to access the data you need, it’s also made it easier for hackers to do the same.
This proliferation of digital endpoints across healthcare—from electronic health records (EHR) to telehealth services to mobile health apps—has undeniably led to greater efficiencies and improvements in remote and in-person care. But these advancements have also expanded attack surfaces, giving threat actors more opportunities to access and exploit your devices.
Data Loss Due to Accidental Equipment Loss or Theft
Healthcare organizations and their staff must maintain awareness of all devices. Whether due to negligence or deliberate theft, the loss of mobile phones, tablets, laptops, USB drives, and other interconnected devices can have disastrous outcomes. A missing device doesn’t just mean lost hardware—it means sensitive data has potentially fallen into the wrong hands.
Scenario: Hot Data and Cold Coffee
Imagine a doctor sitting in a coffee shop, casually stirring her morning espresso, reviewing patient charts on her laptop. After a few sips, she receives an urgent call, telling her she needs to get to the hospital right away. She grabs her coat and rushes out of the cafe, but in her haste, she doesn’t just leave her drink behind but also her laptop. When she realizes her mistake an hour later, she hurries back to the shop, only to find cold coffee and no computer.
The choice the doctor makes next is critical. Ignoring the loss leaves sensitive data exposed to anyone with malicious intent. But if she reports the lost laptop, IT can disable the device and prevent unauthorized data access. This is important because even if the doctor somehow gets her laptop back, its data could’ve already been compromised. For instance, an attacker may have:
- Pulled the hard drive and uploaded medical records, client information, hospital billing, and other sensitive data
- Uploaded a backdoor Trojan onto the laptop and returned it to the doctor’s office in the hopes that it’ll be reconnected, exposing the rest of the hospital network to its backdoor access
- Installed a keylogger or man-in-the-middle software to track keystrokes or capture communication between the laptop and any apps or sites used
Put simply, threat actors want data because it’s currency. It can be extorted for a heavy ransom, sold online to the highest bidder, or exploited for identity theft. Though stemming from an honest mistake, the repercussions for the doctor and her practice can extend beyond financial burdens, including:
- She and other healthcare professionals struggling to deliver safe, appropriate patient care
- Increased inefficiencies in operations, which could spike mortality rates
- Patients receiving the wrong treatments or meds because of data errors
Data Loss Due to Insider Threats
An insider threat can be either accidental or intentional. An accidental leak of data can result from simple negligence. Intentional threats, on the other hand, involve individuals seeking to steal data for profit or purposefully inflicting damage upon your organization.
Scenario: One Good Nurse. One Crooked Nurse. Two Bad Outcomes.
Suppose you’re a dedicated nurse, always putting your patients first, but you’re a bit distracted one morning. It happens to the best of us. You mistakenly tap the wrong keys and misspell a patient’s email address. The name looks right at a glance, but the email goes to the wrong recipient. As a result of a seemingly small error, you disseminated personal data to a complete stranger. This was an honest mistake, and you didn’t commit the act with any intention of causing harm. This is an example of an accidental insider threat, and though it can be chalked up to simple human oversight, the consequences can still be serious. If the recipient acts with malicious intent, they might:
- Gather as much information from the PHI or personal identifiable information (PII) and conduct a vishing attempt on the actual patient—claiming to be the hospital or the insurance company—in the hopes of exploiting the data for personal gain
- Attempt to blackmail the intended patient by threatening to release personal records unless they pay up
But insider threats aren’t always accidental. Malicious insiders with legitimate access to your systems may intentionally steal data for a fast profit. Imagine a disgruntled nurse—he’s feeling overworked, underpaid, and unappreciated—stealing copies of patients’ medical records, making copies of them, and selling them online, where each record can fetch up to $1000 a pop. Insider threats are especially nefarious because they’re premeditated by people you might know and trust, yet you may not realize their intent to cause harm and compromise patient safety.
Whether the data loss is accidental or intentional, the outcome can be equally disastrous. Both types of loss highlight the need for robust security measures, employee training, and strict access controls to protect sensitive information in healthcare settings.
Why Healthcare Is Susceptible to Data Loss and Theft
According to the Department of Health and Human Services (HHS), the most common errors in healthcare data security are:
- Misdelivery: Sending emails to the wrong person (36%)
- Publishing errors: Making confidential data public (21%)
- Misconfiguration: Not setting up systems properly (21%)
- Loss: Misplacing devices and data (17%)
In healthcare, the sheer number of people involved—full-time employees, contractors, and more—means it's easy to lose track of who has access to sensitive information and how that information is handled. This makes the industry particularly vulnerable to insider threats, and they’re amplified if your organization has:
- Limited awareness: Physical security lapses, like leaving offices open or unknowingly letting unauthorized people wander in.
- Weak safeguards: Overlooking basic security measures like multi-factor authentication (MFA) and encryption.
- Insufficient end-of-life processes for devices: Not properly clearing data from devices your organization no longer uses.
- Poor social engineering training: Staff aren’t trained to spot phishing attempts or other scams.
- Blind spots in monitoring: Not keeping tabs on who’s accessing patient info and EHR systems.
- Oversharing access: Giving third-party affiliates and contractors excessive access to areas and data they don’t need.
- Sloppy data controls: Poor management of how sensitive info is uploaded, disseminated, and shared.
What You Can Do
Being vigilant is always the best step when securing sensitive data. Of course, mistakes can happen. And worse yet, no matter how aware we might be, those with malicious intent may still sneak by and get away with theft.
- Report lost or stolen devices: Tell your IT department or supervisor ASAP if something’s gone missing.
- Encrypt sensitive data: Keep your data safe when sending it to other devices. And if someone finds your device, encryption locks them out.
- Wipe data clean: Set up strict protocols for erasing data from devices at the end of their service.
- Implement security awareness training: Regularly train staff to spot potential threats like social engineering and business email compromise (BEC).
- Keep track of your assets: Maintain a detailed inventory of your organization’s devices to ensure accountability.
- Report suspicious activity immediately: Trust your gut. If something feels suspicious, it probably is. Report your concerns to HR, IT, or senior leadership.
- Screen your vendors: Verify third-party vendors are who they claim to be and limit their access based on their specific roles and responsibilities.
- Monitor equipment closely: Keep a close eye on who accesses patient info, server rooms, and EHR systems. Cut off access immediately when someone no longer needs it.
Make Security Awareness Second Nature for Your Organization
In any high-stress environment, people will make mistakes. But keeping security top of mind can mitigate risks. That’s why a robust security awareness training (SAT) program is essential. It can better help everyone across your organization identify potential threats and understand the serious consequences of data loss. By keeping your people vigilant and proactive, your healthcare organization can protect sensitive data and maintain the trust of your patients.
Huntress Security Awareness Training is a unique solution that fuses vibrant animations with science-based learning principles to help improve your organization’s security posture. Through story-driven episodes focused on data protection, Huntress SAT helps drive meaningful behavioral changes for you and your colleagues. Notable episodes include:
- HIPAA: Summarizes administrative, technical, and physical safeguards to ensure you remain HIPAA compliant
- Locking Devices: Reveals the consequences of unlocked devices
- Confidential Info: Demonstrates the importance of need-to-know access behaviors
- Insider Threat: Analyzes types of insider threats and their consequences
- Removable Media: Uncovers risks associated with removable media like USBs
- Physical Security: Helps you recognize hacker tactics and highlights your role in protecting secure areas
- Clean Desk: Reveals techniques to secure your devices from information theft
- Storing Passwords: Demonstrates best practices for storing passwords and keeping them out of the hands of bad actors
Real cybersecurity practitioners from the Huntress Security Operations Center (SOC) design each episode, fashioning them around the latest hacker tactics they observe in the wild. So as new threats face the healthcare industry, Huntress SAT will adapt to them, keeping you and your staff one step ahead.
Huntress Can Help Keep Your Data Secure in the Face of Accidental or Intentional Data Loss
The data within your systems is a goldmine for cybercriminals. If it falls into the wrong hands, the consequences can be catastrophic—ranging from financial ruin to severe reputational damage and, worst of all, compromised patient care. That’s why your team must stay vigilant against potential cyber threats.
With our 24/7 SOC and swift threat neutralization, Huntress’ managed solutions are tailored for health providers. In fact, we already secure more than 10,000 healthcare organizations. Given our track record of protecting millions of endpoints globally, we help you prioritize what matters most—patient safety.
