Doctor health institution healthcare
12 April 2021 / Elaboration

Why 88% of cyberattacks are aimed at the healthcare industry

Organisations in the healthcare industry are not sufficiently prepared to deal with cyberattacks. Hospitals are at risk, but retirement homes are as well: phishing ails everyone.


September 2020 will forever be remembered for a sad first: a hospital in Düsseldorf became the scene of the first (confirmed) death directly related to a cyberattack. Because ransomware, which had entered through a simple phishing email, had laid waste to the institutions IT systems, healthcare providers were unable to register new patients in emergency room. The woman was transported to a nearby facility but did not make it alive.

Hospitals are often a beloved target for cyberattacks. This year, in the U.S. and the Czech Republic amongst others, many hospitals and entire healthcare groups fell victim to hackers. In March, several European governments went so far as to issue official warnings to every healthcare facility in their country.

But hospitals are not the only targets: in January 2020 the city services of Belgian city Willebroek were out of order for over a week after a successful ransomware attack had entered the network through a retirement home.

Why target hospitals?

There is no type of organisation where the phrase ‘critical infrastructure’ rings more true than in the healthcare industry. As the Düsseldorf example show: if patients do not get the help they need because IT systems are out of order, people could die. Hospitals need their networks and devices to quickly share information between doctors and nurses and to make sure important, life-saving equipment keeps running.

If this kind of organisation is missing decent backups, or cannot flip the situation promptly, temptation soon arises to pay the ransom. It is understandable: their first priority is to save lives. If an organisation has no other alternative than to pay up, it becomes the perfect target for hackers.

Furthermore, hospitals are often a part of larger healthcare providing associations. In Belgium or the Netherlands, such groups are limited per region, but in the UK or US, these associations can comprise up to hundreds of hospitals and similar organisations. If a hacker gets a foot through the door at one of these institutions, he can easily use it as a launching pad to infect colleagues from other organisations – then it becomes spear phishing.

American research shows that no less than 88% of all ransomware attacks are aimed at hospitals. Sooner or later, one is bound to slip between the cracks of even the most distinguished cybersecurity system.

Hackers are taking full advantage of the worldwide crisis to bombard healthcare workers with false information about the virus.

Why target retirement homes?

Early 2020 a phishing email surfaced in a retirement home in Willebroek, Belgium. Before anyone knew what was happening, every computer in the city services network was down. The case escalated quickly, proving once again that there is no stopping a hacker once he has accessed the network.

A retirement home is an interesting target because it is connected to a plethora of alluring new targets. In this case: the city services or retirement homes and hospitals within the same association.

Coronavirus danger

The coronavirus pandemic has contributed to the current excess of cyberattacks aimed at the healthcare industry. From our own simulations, we notice that fake news reports – or mimicked government guidelines – are consistently making up the top three of most successful phishing attempts. Corona related items are thriving. It is only natural: people are curious and want to be informed, they have a clear need for transparency and sometimes insecurity takes over the rational mind.

Many European governments have already sent out warnings concerning this threat: healthcare professionals are suffering from high work pressure, leading to a decline in attention for IT security. Hackers took full advantage of the worldwide crisis to bombard healthcare workers with false information about the virus. In, amongst other countries, the Czech Republic and the US this lead to extremely successful ransomware campaigns. Furthermore, the threat is only becoming larger.

Who is vulnerable?

It is a myth that only members of staff without any real anti-phishing training would be vulnerable to hacking attempts. Our data proves that everyone is at risk, nurses as well as doctors or administrative personnel. These days, phishing is simply too cleverly worked out; you need a well-trained eye to spot the differences.

That makes it a big mistake to assume it is only low-skilled employees who are vulnerable to cyberattacks. Let’s take a look at a hospital’s situation: administrative personnel are probably less likely to fall into a trap because they come into contact with phishing a lot more than highly-trained doctors. Doctors’ priorities are, of course, very different, which makes them the more-likely victims. Besides: research suggests that anti-phishing training starts to wear off after just one month. Regular training has to be a prerequisite.

In order to truly learn, people need repetition.

What can you do?

People are the weakest link in cybersecurity. To mitigate as many risks as possible, it is necessary that everyone within an organisation receives regular training to uphold their digital hygiene. A seminar or workshop is a good start, but nothing beats the real deal: coming into contact with actual (simulated) phishing attempts.

In order to truly learn, people need repetition. This is the only way they can gain the necessary experience to recognise threats and to learn how to deal with them or what they need to do in case of a data breach. Every profile in an organisation can benefit from such training, from administrative personnel to surgeons.

That is where Phished comes in. Aided by our automated phishing platform, over 50,000 daily users are already sharpening their anti-phishing skills. Learning how to recognise and deal with every type of phishing in the book.