Healthcare cyber: human errors

A hospital cyber loss often starts with something smaller than movie-style hacking: one fake invoice, one clicked email, or one patient file sent to the wrong inbox. Resilience said social engineering caused 88% of material losses in its portfolio in the first half of 2025, and healthcare claims looked the same. (cyberresilience.com) That is why the new warning is less about exotic software flaws and more about ordinary staff workflows. Resilience said average claim severity in its healthcare portfolio topped $2 million per incident in 2025, up from about $800,000 in 2024. (prnewswire.com) Healthcare is unusually exposed because a clinic is not just protecting files; it is protecting billing, prescriptions, eligibility checks, and care scheduling that all have to keep moving every day. The American Hospital Association said the Change Healthcare outage hit more than 100 critical functions across the system and touched 15 billion healthcare transactions a year. (aha.org) When one of those systems goes down, the damage spreads long after the initial intrusion. The American Hospital Association said 60% of surveyed hospitals needed from two weeks to three months to resume normal operations after Change Healthcare’s full functionality came back. (aha.org) That is the part insurers and special investigation teams care about: recovery is now a paperwork problem as much as a malware problem. If a phishing email triggers an outage, claims teams still need logs, approvals, payment records, and a clean timeline to prove what happened and sort fraud from ordinary chaos. (reinsurancene.ws) The biggest recent example was not a clever new exploit but a basic access failure. UnitedHealth chief executive Andrew Witty told Congress in May 2024 that the Change Healthcare attackers got in with compromised credentials on a remote access system that did not use multifactor authentication, which is the extra code step that works like a deadbolt after the key. (congress.gov) Federal health officials have been pushing the same lesson. The Department of Health and Human Services says its healthcare cybersecurity goals are built to reduce common email fraud, phishing, and internet-facing account abuse, and it specifically calls for phishing-resistant multifactor authentication. (hhscyber.hhs.gov) Healthcare also has a second human-error problem that never looks like a “hack” at first. The Office for Civil Rights at the Department of Health and Human Services treats an improper use or disclosure of protected health information as a reportable breach, which means a mistaken email or file share can become a legal event as well as an operational one. (hhs.gov) Resilience’s own incident examples are blunt: phishing, business email compromise, vendor compromise, backup gaps, and tracking-pixel mistakes keep showing up in real losses. None of those require science-fiction tools; they require one person, one weak process, and one busy day in a hospital or billing office. (cyberresilience.com) So the practical fix is boring on purpose: tighter approval steps for payments, better staff training, tested backups, cleaner evidence collection, and fallback workflows that still work on paper when software fails. In healthcare cyber, the most expensive incidents are often the ones that begin with a human shortcut and end with weeks of manual recovery. (prnewswire.com)