Why are Healthcare Organizations Targeted by Criminals?

Data Security
November 12, 2020
Healthcare Providers are a common target of attackers, but why? The answer is that the information they have is incredibly valuable.

Why are Healthcare Organizations Targeted for Cyber Attacks? 

It may be common knowledge that healthcare organizations are often targeted by hackers, but people may not always know why that is. The short answer is that healthcare organizations are targeted because the information stolen from them can be sold through cybercriminals at a higher dollar value than most other forms of data. 

Targeting of Healthcare Organizations 

The real key to why healthcare organizations are targeted more than other types of companies is that the information that they possess is much more valuable on the black market. Protected Health Information, or PHI, is the information that is found in a person’s health record and could be used to identify them. This could be anything from their full name, address, social security number, medical record number or any other form of PHI

Healthcare records containing PHI are one of the most valuable and sought after types of information that hackers look for which leads to them having a higher selling price on the dark web. There are three key reasons that medical records and PHI is so valuable to cybercriminals - the higher selling price, the long shelf life and the multiple uses for the same form of data. 

Why are Healthcare Records so Valuable? 

According to the 2018 Trustwave Global Security Report, a person’s healthcare record can be sold for $250.15 versus a single social security number would only receive $0.53 in comparison. Healthcare records are known to have a long shelf life when sold, because unlike a credit card, those affected are unlikely to realize that this has happened quickly, and therefore the information can be spread and sold further before detection. 

Beyond just the high selling prices on the dark web, health records can also be used for multiple purposes by the purchasers as they could purchase prescriptions, receive treatment or even make false medical claims using this stolen record. 

Each of these actions could have significant costly effects on the patient whose information is taken but also on the healthcare industry more broadly. Now we can see the ways in which PHI is valuable on the dark-web but we must also keep in mind that a patient’s information is even more valuable to them and the provider that they have trusted to protect it. This should remind healthcare providers that their susceptibility to cyber attacks makes their dedication to cybersecurity and HIPAA compliance all the more important. 

CyberSecurity in Healthcare

Increasing Number of Attacks 

As the years have passed and more and more of the operations of the healthcare industry have moved to an digital format, the number of breached healthcare records has trended up right alongside. Each year Verizon releases data breach reports that tell the story of that year's worth of breaches that have occurred. Between the 2016 and 2019 reports, the number of data incidents and breaches increased by 200%. 


The recent 2020 report shows that these numbers have continued to grow, now revealing a 71% increase in the number of breaches this year. With many of the challenges with COVID-19 and a work-from-home environment, organizations need to be more aware than ever that the PHI they are responsible for is completely secure and protected. 

Data Security and COVID-19 

Especially in the middle of a nationwide healthcare crisis, healthcare organizations are at an even higher risk than typically. While healthcare providers are working overtime to take care of COVID-19 patients, some of their attention may be taken away from PHI security. Since the beginning of the pandemic, the FBI has reported about 2,000-3,000 more cybersecurity complaints each day from the typical 1,000 a day. 


Many of the increased cybersecurity attacks can be explained by the hackers desire to gain information about COVID-19 related information and use these vulnerabilities to do so. It is fairly typical that any monumental event within a country would spur on a spike in cyber attacks as it has happened in the past with other events, and is happening again with COVID-19. This crisis in particular has moved most of the workforce to remote work which has presented a whole new set of challenges to staying HIPAA compliant in a work-from-home environment

The Future of Cybersecurity 

Year over year we have seen the number of cybersecurity attacks on healthcare organizations continue to increase, and there is no sign that this increase will slow down. Hackers have not only increased their attacks, but they have regularly reinvented the methods with which they infiltrate the organizations, which we can see through the increasing commonality of phishing scam emails. It is vital that healthcare providers have the necessary policies, training and technology in place in order to comply with related data security laws while ensuring that all of this important information is well protected. 

How to Protect Yourself from These Attacks 

Now that healthcare organizations understand the reasoning behind the target on their back from hackers and cybercriminals, it is important for these providers to also know how they can prevent the attack. The key for health organizations is their understanding of and compliance with HIPAA, or the Health Insurance Portability and Accountability Act of 1996. HIPAA is the legislation that lays out the physical, technical and administrative safeguards that organizations must follow in order to ensure that PHI is kept safe from attacks. These safeguards, which you can read about here, mandate that organizations take certain steps like implementing workforce training and management, limiting access to facilities or devices that contain PHI and requiring all data to be carefully encrypted. 

Due to the high value of PHI data, healthcare organizations should regularly assess the steps that they are taking to ensure the security of PHI. Although a breach of information is not entirely avoidable, it is important that a healthcare provider takes all the steps possible to lessen the risk and comply with all aspects of HIPAA. For more information on how to understand the risks associated with storing, sharing and maintaining PHI and what steps need to be taken to reach HIPAA compliance, feel free to ask Accountable, your simple HIPAA compliance software solution provider. 

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
chevron left
Expert guidance
chevron left
Build trust
chevron left
Dedicated Compliance Success Managers
chevron left
HIPAA Training
chevron left
Decrease risk
chevron left
Close more deals