top of page

The Healthcare Industry and Cybercrime

The healthcare industry has always been a target for cyber criminals.

MD looking at phone

They hold personal sensitive information that criminals want either to enable further crimes or to hold for ransom. But workers also need remote access to this sensitive information and frequently use cutting edge medical device technology which might not be as secure as they could be, both of which increases the risk of a successful attack.

What’s been happening recently?

According to a study by Obrela Security Industries, 81% of healthcare organisations suffered a ransomware attack in the last year. The survey of 100 cybersecurity managers found that 38% paid the ransom to get their files back, while 44% didn’t pay and lost their data.

64% of organisations had to cancel their in-person appointments due to a cyber-attack while 65% believe that a cyber-attack on their systems could lead to a loss of life.

IBM’s X-Force Threat Intelligence Index 2022 stated as well although ransomware was the top threat, Business Email Compromise accounted for 25% of attacks.

IBM found that vulnerability exploitation was the top way that cyber criminals gained access to systems (59% of attacks) followed by phishing (29%) and the use of stolen credentials (14%).

The war in Ukraine sparked the NHS England (NHSE) chief operating officer, Sir David Sloman, to advise trusts to ensure their IT systems were “patched and protected, and that immutable backups are in place”. But are smaller providers doing likewise? According to Cirrus, the healthcare sector is particularly susceptible to supply chain attacks, with suppliers being an easier route for attackers to gain access to a more lucrative target. This demonstrates that cyber-attacks can and do affect all sizes of organisation.

Getting the basics right

If you’re a small healthcare provider, make sure you are not the weak link in the supply chain.

  1. Ensure all your staff are using strong passwords. This means that they are unique – not used across multiple platforms – and not easily guessable.

  2. Consider using a password manager for your staff to use. Remember just one strong password and your manager remembers the rest. Watch our short video to find out more.

  3. Enable 2 Factor Authorisation (2FA) wherever possible, but specifically on any social media site, emails and anywhere you have payment details. This means that if your staff’s usernames or passwords are released, criminals still won’t be able to access the account. You can find more about 2FA here.

  4. Have offline backups and test the recovery of them. Companies falling victim to ransomware still pay criminals even though they have backups because they have never evaluated them, and then when they need the data the most, they find that they can’t recover.

  5. Ensure you have anti-malware on all devices, including your phones.

  6. Train your staff to recognise common phishing attacks and how to report them. Phishing attacks are the most common form of cyber-attack, and your staff can be your weakest link or your strongest defence, but only if they know what to look out for a do. The ECRC can provide bespoke Staff Awareness Training through our affordable student services.

  7. Consider getting a vulnerability assessment. Vulnerability assessment can look at your internal or external network and let you know if there are key settings which would allow an attacker an easy entrance to your systems and what they might be able to do once inside. If you would like more information about these just contact us. We train and mentor local university students to deliver our services, so when we say they are affordable, they really are.

Further guidance and support

The ECRC is a police-led, not for profit organisation which companies can join for free.

Our core membership provides:

· Threat alerts both regionally and nationally

· Signposting to free tools and resources from both Policing and the NCSC

· Little steps programme – series of weekly emails which aligns to cyber essentials looking at bite-sized practical information to build cyber resilience


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page