Human error in healthcare: The hidden cybersecurity risk

A nurse attending a patient. Image by Tim Sandle

Hacking/IT type of breaches affected approximately 170 million people, in the U.S. in 2024, compared to 160 million in 2023. A considerable proportion of this growth in cybersecurity incidences has been concentrated on medicine and health.

In an era where digital transformation is reshaping multiple industries, the healthcare sector, in particular, stands at a critical point. As medical organizations increasingly rely on digital systems to enhance patient care and operational efficiency, these bodies face big cybersecurity challenges.

As an example, in 2024, the largest resolved healthcare breach in the U.S. occurred in Arizona, affecting 2 million individuals’ health information due to a cyberattack on the Medical Management Resource Group. The largest potential breach, impacting up to 100 million people, was reported in July and is still under investigation.

Minnesota would lead the list among the 50 states and the District of Columbia when counting affected individuals per state population in 2024. Its residents could theoretically be counted as affected by hacking/IT incidents approximately 17 times, but largely due to the reported breach in July that accounted for 100 million individuals.

A study by Surfshark has delved into the landscape of healthcare cybersecurity, revealing the vulnerabilities and threats that compromise patient data and disrupt essential services.

As Miguel Fornés, cybersecurity expert at Surfshark explains to Digital Journal: “What does a hacking incident mean for a hospital? The reality is that these attacks on hospitals and healthcare systems are a serious threat to international security. They jeopardize lives, destabilize societies and often occur due to human error. Such attacks can delay emergency care, cancel surgeries, and postpone important medical treatments.”

Fornés continues: “Additionally, they breach extremely sensitive healthcare records, including patient history, social security numbers, or payment details; which may directly backlash in shape of denial of health insurance, job discrimination based on health conditions, or medical identity theft. Arguably this type of data breach is the worst one can face, and its consequences are very long-lasting, as it cannot be resolved with a simple password change”.

In 2024, hacking/IT incidents emerged as the most prevalent type of breach in the U.S. healthcare sector. Over 80 percent of reported healthcare data breaches affecting 1,000 or more individuals fell into this category, including both resolved cases and those still under investigation. In contrast, in the UK, the Information Commissioner’s Office (ICO) reports that in 2024, 25 percent of all health sector breaches affecting 1,000 or more individuals are categorized as cyber incidents.

In terms of areas of weakness, in the US network servers were the most vulnerable location for healthcare data, featuring in nearly 80 percent of analysed hacking/IT incidents in 2024. Email was the second most frequently identified location, appearing in more than 20 percent of breaches.