Breaching a Hospital Network Takes Only Five Hours, Hackers Say

Breaching a Hospital Network Takes Only Five Hours, Hackers Say

Hackers claim they can breach a healthcare organization in less than five hours, according to the 2018 Black Report survey from software company Nuix. This is a significant change compared with the amount time a breach would take across all industry sectors—more than 15 hours, according to 46 percent of respondents. This echoes the healthcare industry’s longstanding issue of appearing as a soft target when it comes to cyberattacks.

For the survey, Nuix included information from meetings with professional hackers in addition to cybersecurity professionals and cybersecurity incident responders. According to the authors, “it’s insightful to get an attacker’s view of what constitutes ‘success’ when breaching an organization. Understanding this perspective has a significant impact on how organizations should defend against and respond to security incidents and breaches to their IT infrastructure.”

Information in the report includes demographics on hackers in addition to insight into hackers’ targets, techniques, and motivation. According to the survey, formal education levels were higher than expected in the survey sample: 43 percent were college graduates, 32 percent had postgraduate degrees, 19 percent had either a high school diploma or GED, and only six percent said “formal education is for suckers.” Many also held security certifications, but did not necessarily think they were a good indicator of technical ability.

Some other key points of interest in the survey include:

  • The vast majority of hackers (86 percent) reported that they hack because they like the challenge. Only 21 percent reported hacking for financial gain.
  • Across industry sectors, 46 percent of respondents said a breach takes more than 15 hours. In healthcare, 23 percent reported that it takes about five hours or less.
  • Once the perimeter is breached, 38 percent said they could find the data they wanted in less than an hour in hospitals and healthcare. The survey authors liken this issue to “candy bar security,” where all the focus is on the perimeter, and the inside is soft. The authors note that the assumption that everyone who is in the network should be there is “clearly not realistic today.”
  • A staggering 77 percent of hackers reported they are identified by their targets less than 15 percent of the time.
  • Network attacks rank as hackers’ favorite type of attack (28 percent), closely followed by social engineering (27 percent) and phishing (22 percent).
  • 90 percent of hackers report being able to cover their tracks after a breach in less than 30 minutes.
  • 74 percent of hackers said that they did not think security professionals understand what they are looking for when safeguarding their systems.

“Perhaps the key takeaway from the Nuix Black Report is that your perception and understanding of the threat landscape may be in stark contrast to reality,” the authors wrote. They recommend that organizations compare the information to their own organizational risk assessment. To access the full report, visit


Sarah Sheber is assistant editor/web editor at the Journal of AHIMA.