Healthcare has a target on its back for cyber criminals, thanks to outdated systems, fewer IT staff, fewer cybersecurity protocols and extremely sensitive data, according to global cybersecurity experts Fortinet.

“Recent cyberattacks have highlighted the vulnerabilities faced by New Zealand’s healthcare providers,” says Steven Woodhouse, Field Chief Information Security Officer, Australia and New Zealand, Fortinet. “When healthcare services stop, the consequences can be life and death. Phishing scams, viruses, malware-infected medical devices, and ransomware – the adverse effects can be severe.”

The healthcare organisations were the predominant targets of the 400-plus local cyberattacks in the 2021-22 financial year, says the National Cyber Security Centre. Their 2022-23 report also identifies the healthcare sector as among the most impacted globally, reflecting the complex international cyber threat landscape.   


By the numbers in NZ’s no.1 risk sector

Healthcare has the highest cybersecurity risk from insider threats.


$10.1 million - the average cost of a healthcare cybersecurity breach.


13 per cent of all firms detected ransomware in the first half of 2023, according to the Fortinet Global Threat Landscape Report.


50 per cent of ‘prepared’ businesses were victims of ransomware.


78 per cent of business leaders claimed their enterprises were prepared for a ransomware attack, but half still fell victim to them, according to Fortinet research.


20 per cent – the annual growth rate of connected medical devices.


20 per cent - the internet of medical things (IoMT) is projected to grow by this amount each year to 2030, including remote healthcare, patient monitoring and wearable medical devices for instance.


The human element is a major vulnerability – people in the sector often work long hours in challenging conditions and may be battling fatigue. Medical doctors in Aotearoa, for instance, have twice the risk of burn-out as professionals in other sectors, according to recent research by Massey University.  

In a New Zealand Herald special investigation in July, headlined “Everyone’s getting burnt out. We’re exhausted”, healthcare staff warned stress becomes a vicious cycle. Burnout leads to more staff calling in sick, which leads to heavier workloads, which leads to people leaving, which leads to bigger deficits. Overworked staff don’t have the time, skills, or mental energy to provide good care. Mistakes creep in. Adverse events happen.

That kind of tiredness and stress is not a comfortable backdrop for cybersecurity. Woodhouse says 82 per cent of all global cyber breaches have a human factor: “Phishing, reusing passwords, and system admins not following processes, for instance. Reusing passwords is responsible for around half of that 82 per cent.”

However, Woodhouse says the blame doesn’t fall at the feet of individuals. These human errors often arise because security processes make life too difficult for the non-IT people within an organisation. Cyber resilience can be boosted by working closely with healthcare teams to make safe practices easier and more automatic.

Human-centric design 

It’s all about human-centric design, says Woodhouse. By involving healthcare professionals in developing security protocols, team members are more likely to make a conscious effort to comply.

“Healthcare is one sector where people already have a lot of training on their plates and they have major responsibilities to maintain,” says Woodhouse. “Asking them to add in cybersecurity training as well takes a bit of psychology. Nurses and doctors are busy, so we need to make their lives easier and involve them in what we design and how we do it.

“We need to ask people, ‘How will this impinge on your day? How can it work for you and still achieve the outcomes we’re trying to achieve?’”

The potential pay-off for any healthcare organisation is substantial. If 82 per cent of breaches are down to human error, and half of those are related to password reuse, then just stopping your team from reusing passwords could considerably improve cyber resilience.

“Nobody can remember complex passphrases with upper case and lower case letters and special characters,” Woodhouse adds. “We give them a password safe with multifactor access. We give them more training on identifying dodgy links. When people are more involved and they participate in designing the processes, we’re much more likely to succeed.”

Preventing cyberattacks

Cybersecurity is paramount for the healthcare sector because it must provide uninterrupted services – disruptions can have life-threatening consequences. By creating human-centric security processes and systems, an organisation can help to reduce the risk of a breach.

“There are three pillars of cybersecurity: people, process and technology,” says Woodhouse. “There’s plenty of good technology to help the healthcare sector with security, and most processes can be simply documented. It’s the people pillar that is going to make the biggest impact on defence and security. It’s essential that you have a team of willing participants, not just observers.”


Take this non-intrusive, complimentary cyber threat assessment and discover how to enhance visibility and control to reinforce cyber resilience in your healthcare organisation. 


Top 7 areas where healthcare organisations can increase cyber resilience:
  1.  Network latency: ensuring patient data is protected, but accessible.  
  2. Data integrity: reducing risk by addressing incorrect or incomplete data.
  3. Operational efficiency: securing digital innovations shouldn’t impair operational efficiency.
  4. Physical distribution of sites and partners: monitoring and securing data across networks.
  5. Cost: managing cybersecurity on a tight budget.
  6. Compliance reporting: adhering to a patchwork of privacy laws and regulations.
  7. Securing operational technology: connected devices often lack security and may be vulnerable.