2024 was a year that saw several blows to the healthcare industry when it came to cybersecurity. Data breaches and ransomware attacks caused major disruptions in the daily operations of healthcare organizations with significant monetary implications.
On February 21, Change Healthcare reported a cybersecurity breach that caused prescription delays for numerous pharmacies. Many healthcare organizations struggled with cash flow, pushing some close to bankruptcy.
In May, one of the nation’s largest health systems, Ascension, was a victim of a ransomware attack impacting Ascension’s electronic health records systems (EHR) and tools for ordering tests, procedures, and medications. This caused several hospitals to be on diversion for emergency medical services.
In July, the healthcare industry woke up to a global outage caused by a faulty software update by cybersecurity firm CrowdStrike affecting computers running on Microsoft Windows. “Healthcare is estimated to have suffered direct losses of $1.94 billion, with an average estimated loss of $64.6 million per company,” Steve Alder reported for the HIPAA Journal.
Numerous other healthcare organizations were victims of data breaches this past year. IT departments scrambled to stay on top of a barrage of cybersecurity attacks.
Errol Weiss, chief security officer at Health-ISAC, confirms that this year, a higher number of cybersecurity events were observed than the year prior. What’s happening now, he says, is that not only are hospitals victims of ransomware attacks but now patients as well. Criminals will threaten to release private patient data if a ransomware sum is not being paid. The ransomware group BlackCat attacked Leigh Valley Health, for example, and threatened to release nude pictures of its cancer patients. The class action suit was settled for $65 million. Weiss expects to see more of these types of attacks in the year ahead. “They will go after whatever they can,” Weiss says about the cybercriminals.
To the question of whether he thinks federal legislation on cybersecurity measures within healthcare will be helpful, Weiss responds, “Hospitals are operating on razor-thin margins as it is, and it is very difficult for them to invest in things that aren’t directly related to patient care. If we’re going to talk about any kind of legislation moving forward, especially in the new administration, it needs to come with the adequate resources to make sure that that happens.”
Weiss doesn’t believe in throwing money at the problem. He advocates getting the right people into organizations to address issues. He believes a virtual CISO program is a way to get additional help in. Weiss says there are a lot of cybersecurity vendors and point solutions. “The market is very confusing…. So if you had $100 to spend on cyber security, where would you spend that?”
As to what to expect in 2025, Weiss points to the issue of attacks on the supply chain, where the level of sophistication is increasing. In this area, Weiss says, the attacks don’t seem so random, “where many of these malware attacks, the ransomware gang will send out millions of malicious emails and hope that they get somebody somewhere to click on something and install the ransomware.” The attacks this past year seem to be more targeted.
Weiss anticipates artificial intelligence (AI) will also be part of more attacks. “We’ve already seen the talk about malicious actors leveraging AI to develop zero-day attacks, which is absolutely mind-boggling because you leverage AI to help develop some new attack technique.” Weiss adds, “If the bad guys can use AI to develop a new zero-day, I think we’ve got to also be proactive, finding out those zero-days, and then defending against those.”
Jason Griffin, managing director of digital health for Nordic, agrees that the cybersecurity landscape continues to evolve. “The threat surface continues to grow.” “We become more and more integrated with not just our electronic medical records, but our biomedical devices and other devices that are now managing and storing data that are networked across every hospital.”
Griffin states that phishing and access controls are the biggest areas of threats. He believes attacks will rise and will continue to be successful. “The sophistication of the tools and the approaches by these hackers will only grow exponentially.”
“AI,” Griffin adds, “can help those bad actors grow exponentially the number of attacks that they can put into the environment.” Cybercriminals can attack through fabricated videos and conversations. “They’re going to get more sophisticated now that they can generate content from an AI perspective, that is even more close to reality.”
However, as cyber attackers become more sophisticated, so do we in preventing the attacks, Griffin notes. Being proactive is key in preventing these attacks, he says. He agrees with Weiss that the budget isn’t always there.
Griffin believes that more standards in cybersecurity within healthcare would be beneficial. New York is already adopting more stringent regulations going into 2025.
“Healthcare providers should connect their technology, and cyber teams should be connecting more with the business,” Griffin advises. “Cyber security is becoming a patient safety issue.” It’s key, he says, that CISOs and CIOs align more with the business strategy and understand the ramifications of losing access to the system. Being prepared is essential, Griffin says because an attack will inevitably happen. “You can’t be prepared enough.”
“I just can’t stress enough that this is not just a technical concern,” Griffin underscores, “we’ve got to elevate the discussion to a business and strategy discussion.” “We all have a responsibility now to protect our data, protect our patients, and protecting those patients comes in many forms and fashions.”
