2024 was a year in which the healthcare industry suffered several blows when it came to cybersecurity. Data breaches and ransomware attacks caused significant disruptions to the daily operations of healthcare organizations with significant monetary implications.
On February 21, Change Healthcare reported a cybersecurity breach that caused prescription delays at numerous pharmacies. Many healthcare organizations struggled with cash flow, leading some to the brink of bankruptcy.
In May, one of the country’s largest health systems, Ascension, was the victim of a ransomware attack that affected Ascension’s electronic health records (EHR) systems and tools for ordering tests, procedures and medications. This caused several hospitals to be diverted to emergency medical services.
In July, the healthcare industry woke up to a global disruption caused by a faulty software update from a cybersecurity company. Strike crowd affecting computers running Microsoft windows. “The healthcare industry is estimated to have suffered direct losses of $1.94 billion, with an estimated average loss of $64.6 million per company,” Steve Alder reported for HIPAA Journal.
Many other healthcare organizations were victims of data breaches last year. IT departments scrambled to stay on top of an avalanche of cybersecurity attacks.
Errol Weiss, chief security officer of Health-ISACconfirms that this year a greater number of cybersecurity events were observed than the previous year. What’s happening now, he says, is that not only hospitals are victims of ransomware attacks, but patients too. The criminals will threaten to reveal private patient data if a ransomware sum is not paid. The BlackCat ransomware group attacked Leigh Valley Health, for example, and threatened to publish naked photos of its cancer patients. The class action lawsuit was settled for $65 million. Weiss expects to see more such attacks over the next year. “They’ll go after everything they can,” Weiss says of cybercriminals.
Asked whether he thinks federal legislation on cybersecurity measures in healthcare will be helpful, Weiss says: “Hospitals are operating on very thin margins and are finding it very difficult to invest in things that are not directly related to patient care. If we’re going to talk about any type of legislation in the future, especially in the new administration, it needs to come with adequate resources to ensure that happens.”
Weiss doesn’t believe in throwing money at the problem. He advocates bringing the right people into organizations to address problems. He believes a virtual CISO program is a way to get additional help. Weiss says there are many cybersecurity and point solution vendors. “The market is very confusing… So if you had $100 to spend on cybersecurity, where would you spend it?”
As for what to expect in 2025, Weiss points to the issue of supply chain attacks, where the level of sophistication is increasing. In this area, Weiss says, the attacks don’t seem so random, “where in many of these malware attacks, the ransomware gang sends millions of malicious emails and hopes that someone somewhere will click on something and install the ransomware. “Last year’s attacks appear to be more targeted.
Weiss anticipates that artificial intelligence (AI) will also be part of more attacks. “We’ve already seen malicious actors leveraging AI to develop zero-day attacks, which is absolutely mind-boggling because AI is being leveraged to help develop some new attack technique.” Weiss adds: “If bad guys can use AI to develop a new zero-day, I think we also need to be proactive, discover those zero-days and then defend against them.”
jason Griffin, CEO of digital health at Nordicagrees that the cybersecurity landscape continues to evolve. “The threat surface continues to grow.” “We are increasingly integrating not only with our electronic medical records, but also with our biomedical devices and other devices that now manage and store data that are networked across hospitals.”
Griffin says phishing and access controls are the biggest threat areas. He believes attacks will increase and continue to be successful. “The sophistication of these hackers’ tools and approaches will only grow exponentially.”
“AI,” adds Griffin, “can help those bad actors exponentially increase the number of attacks they can conduct in the environment.” Cybercriminals can attack using fabricated videos and conversations. “They will become more sophisticated now that they can generate content from an AI perspective, which is even closer to reality.”
However, as cyber attackers become more sophisticated, so do we in preventing attacks, Griffin notes. Being proactive is key to preventing these attacks, he says. He agrees with Weiss that the budget isn’t always there.
Griffin believes it would be beneficial to have more cybersecurity standards within healthcare. New York is already adopting stricter regulations by 2025.
“Healthcare providers should connect their technology and cyber teams should connect more to the business,” Griffin advises. “Cybersecurity is becoming a patient safety issue.” It’s key, he says, for CISOs and CIOs to become more aligned with business strategy and understand the ramifications of losing system access. Being prepared is essential, Griffin says, because an attack will inevitably occur. “You can’t be prepared enough.”
“I can’t stress enough that this is not just a technical concern,” Griffin stresses, “we have to elevate the discussion to a business and strategy discussion.” “We all now have a responsibility to protect our data, to protect our patients, and protecting those patients comes in many forms and fashions.”
