4 K. Lung: J Extra Corpor Technol 2026, 58, 3 – 18
extracorporeal membrane oxygenation( ECMO) machines, balloon pumps, and more, some of which are essential to survival. Each connected device brings an additional access point onto the hospital network, increasing the metaphorical surface area on which a cyberattack can occur [ 5 ]. As such, the IoMT is currently one of the largest threats to hospital security [ 7 ].
Since 2014, there has been an explosion of research related to the field of cybersecurity, and with it, a discussion of why healthcare is unique in its vulnerabilities. Healthcare is one of the most targeted sectors for cybercrime due to being both high in value and relatively low in defense [ 8 ]. Healthcare records have been noted time and again as the most valuable type of personal information on the dark web. A complete set of health data can be sold for ten to a hundred times more than stolen credit card information [ 3, 5, 6, 9 – 11 ]. Unfortunately, once health data is compromised, it is not possible to restore a victim’ s privacy or undo the psychological harm done [ 3 ]. Considering the high value of healthcare data, cybersecurity is a necessity for all hospitals and perfusion teams.
For hospitals, there are a multitude of challenges associated with implementing cybersecurity. There are legacy devices, systems that are critical and must remain in use, and substantial time and resources necessary to implement cybersecurity, which can be disruptive to workflow [ 1 ]. Oftentimes, healthcare cybersecurity is seen as a compromise between patient safety and information security, and as one might expect in a patientfocused system, patient care is often prioritized at the expense of digital security [ 12 ].
Healthcare workers also tend to have a low understanding of cybersecurity and the risks that their organization faces from cyberattacks [ 13 ]. Educating employees on the importance of cybersecurity and empowering them to maintain organizational security can be one of the most successful strategies for improving cybersecurity. This is particularly effective in small organizations that may lack a well-staffed IT security team [ 2 ]. Properly emphasized, cybersecurity education contributes to the security culture of an organization, which is critical against the ever-evolving tactics of cyber criminals [ 2 ]. This article provides a historical overview of healthcare cybersecurity with recommendations for perfusion teams looking to ensure best practices for protected health information.
Background
Healthcare cybersecurity is a mix of governmental oversight, software applications, medical devices, third-party vendor connections, and human actions [ 2 ]. The term“ cybersecurity” can include more than just defense against cyberattacks. It also covers accidental or internal breaches of data that are not the result of an external force. In fact, 70 % of all data breaches are the result of employee carelessness [ 12 ], and up to 95 % of breaches within the healthcare field are from human error [ 2, 10, 13 ]. The cost of a healthcare data breach is the highest of any industry, and healthcare has held that title since 2011. In 2023, the average healthcare data breach cost $ 9.77 million, while the next costliest industry, finance, cost $ 6.08 million per breach [ 14 ]. In 2016, it was estimated that 90 % of hospitals had had one or more data breaches, and 45 % had had five or more [ 1 ]. The Poneman Institute also estimated that in 2016, there was $ 6.2 billion lost per year due to healthcare data breaches [ 12 ]. Some of this is due to the penalties imposed upon hospitals by the US Department of Health and Human Services’( DHHS) Office of Civil Rights for data breaches affecting over 500 individuals, but a much greater portion of that comes from the cost of investigation, remediation, and identity protection of affected individuals after a breach has occurred [ 6, 15 ].
Cyberattacks in general have been increasing in quantity over the past decade [ 5 ], and in 2019, 24 % of all cyberattacks were against healthcare [ 1 ]. The US DHHS reports that across all industry sectors, there have been an average of 4,000 ransomware attacks per day since 2016 [ 16 ]. Digitization of patient health records has only increased the scale of impact a data breach can have on a hospital and its patients [ 8 ].
Historical attacks on hospitals The rapid increase of reported cyberattacks on hospitals has been well documented [ 6 ]. In 2015, the healthcare giant Anthem experienced an attack that exposed 78.8 million patients’ data, a record for the 2009 – 2019 timeframe [ 7 ]. In 2016, Hollywood Presbyterian Hospital was shut down for 10 days after being hit by a ransomware attack that likely began from a phishing scam [ 6 ]. They eventually paid $ 17,000 in bitcoin to the attacker in the first highly publicized ransomware attack on a hospital [ 6, 11 ].
2017 was notable for the WannaCry attack that took out 50 National Health Service( NHS) hospitals in the United Kingdom, even though the cyberattack was not initially directed at the healthcare system [ 6, 17 ]. This attack is famous for using a weakness of the unsupported Microsoft XP operating system, which had been discontinued in 2009. WannaCry resulted in almost 20,000 canceled appointments and cost £ 92 million( 118 million USD) in lost revenue over four days [ 7 ]. By 2020, it was reported that nearly 94 % of global healthcare institutions had experienced some variety of cyberattack or data breach [ 9 ].
In 2021, a ransomware attack on the National Healthcare Network of Ireland took out all clinical and non-clinical systems [ 13 ]. A third-party website tracking device on a patient portal website caused a data breach for Advocate Aurora Health in 2022 [ 18 ]. Community Health Systems was hit with ransomware in 2023, resulting in around one million patients’ data being stolen [ 18 ]. Lurie Children’ s Hospital was hit with ransomware in 2024 [ 19 ], as was Boston Children’ s Health Physicians group later that year [ 20 ].
It is not just hospitals and associated systems that get attacked, but also third-party vendors like LivaNova, which were attacked in November of 2023, compromising patient data [ 21 ]. The nonprofit blood bank OneBlood was hit with ransomware in 2024 [ 22 ]. The Red Cross was hacked in 2022 [ 23 ], and UnitedHealth Group’ s subsidiary Change Healthcare, which primarily worked with payroll and hospital finances, was hit in early 2024. Change Healthcare’ s ransomware attack may impact up to a third of all Americans, and as of September