Why is healthcare so vulnerable to cyber attacks?

Health & Education

Cybersecurity is surely an issue that plagues every industry. One of those most at risk – and most pertinent – is the healthcare industry. Ransomware attacks in the past have shown the many flaws that exist in the industry – but why is healthcare so prone to cyber-attacks? And what can be done to stop them?   

The healthcare relies heavily on complex - yet vulnerable - systems.

The problem 

Unlike many other industries, IT system outages in the healthcare sector can be a life-and-death situation. Practitioners often make use of complex technology to deliver the appropriate care to patients, something which cannot be relied upon when threatened by a cyber-attack 

Further to this, there have already been a number of high-profile ransomware attacks on healthcare providers in the UK. In 2017, the WannaCry ransomware attack on the NHS cost it nearly £20m in service outings, forcing it to spend nearly £70m in reassessing its IT systems.  

The Health Service Executive (HSE) of Ireland was also the victim on a ransomware attack in May 2021. This lead to hospital appointment cancellations across the country, electronic health records (EHRs) becoming inaccessible, and radiology systems going down.  

Why is healthcare so vulnerable?  

According to an article by, the matter can largely be broken down into four constituent reasons:  

  1. An incredibly complex supply chain 

Healthcare providers don’t just have their patients to think about. They must consider the sourcing of cleaning supplies, high-tech machinery, climate-controlled drugs and many other assets. This inevitably leads to a decentralised payment and procurement process whereby many different processes happen simultaneously. Enforcing security across a system like this proves very difficult, but not impossible with the right funding and a holistic approach.  

  1. Data-driven healthcare 

Digitising patient data has come with a whole host of benefits, ensuring it is always up-to-date, easily shared/communicated between departments, and readily available to any practitioner that might need it. Unfortunately, all the attributes of a data-dependent environments also lead to its downfall – easily accessible, up-to-date information ready to download. Cyber strategies will need to develop in tandem with increased digitisation in order to ensure its safe continuation.  

  1. Internet-based and outdated devices 

Many devices used in the healthcare sector are connected to the internet for the obvious reasons of ease of use and increased communicative ability. Each internet connection, however, introduces another entry point for a hacker. Further to this, many medical practices still run on legacy software such as Windows 7. And, while some of us can remember this getting released, the fact is older software is much more vulnerable to attack as it has less (or indeed no) dedicated support.   

  1. Overworked staff 

Medical staff are known worldwide for working exceptionally long hours. This fact was only exacerbated by the COVID pandemic which thrust an extra workload upon all medical staff, and then ladened them with a backlog of COVID-deferred patients. Human error is one factor here, but so is the genuine lack of time to properly train staff on cybersecurity best practices.  

Final thoughts 

Ensuring a cyber-secure healthcare system is by no means a mean feat. It will take a massive amount of time and investment, coupled with a renewed strategic focus on preventing further attacks. Bad actors will always be a threat, but the technology exists to mitigate a lot of these risks – it just needs the right investment.   



By Rebecca Garland on 26/04/2022