Navigating the complexities of healthcare cybersecurity
With the number of cyber attacks skyrocketing at an alarming rate, healthcare organizations are trying to implement effective measures to prevent these threats. According to the U.S. Department of Health and Human Services, healthcare data breaches have increased 239% over the past four years and ransomware attacks have increased 278%. IBM’s Cost of Data Breach Study 2023 found that more than 88 million people were affected by security breaches in 2023 alone, underscoring the urgent need for robust cybersecurity measures.
Despite the clear and present danger, the healthcare industry continues to struggle with implementing effective cybersecurity practices. Whether it was the Tricare data breach in 2011, Shields Healthcare in 2022, or most recently United Healthcare, these high-profile attacks have led to significant disruption, financial shortfalls, and loss of trust among patients whose personal information was accessed. Healthcare is a crucial part of everyday life, so why are organizations so slow to adopt better solutions?
The answer may seem simple, but it is quite complex. Healthcare is a highly regulated industry with small operating margins. According to IBM’s Cost of A Data Breach Study 2023, the cost of just one breach is nearly $11 million. So, organizations take a methodical approach to implementing security frameworks by establishing a dedicated Chief Information Security Officer (CISO), an internal team and an advisory partner as the foundational layer. From there, foundational cybersecurity practices such as vigilant patch management, software supply chain risk mitigation, deployment of anti-virus solutions, and ongoing employee training are built into the framework.
Key steps for securing healthcare enterprises
Even when they have a dedicated security team and framework in place, healthcare organizations face challenges due to strict regulatory compliance guidelines, the sensitive nature of patient data, a complex, interdependent ecosystem of providers, the adoption of cloud and AI technology and more. There are five imperatives that organizations can take to reduce the risk of a cyber attack.
1. Lock the cloud
With more and more data being stored off-site, it is essential that healthcare IT teams follow regulatory requirements in creating a security control framework that outlines how data is sent to the cloud, the encryption format and who has access to it . While cloud service providers can provide security measures to keep data safe, integrating further controls is essential. This can be done by automating security in Dev SecOps or by controlling for multi-cloud scenarios in the event of a failure or attack. Physical security at the data center location is just as important, HCA Healthcare discovered. In 2023, a theft at an off-site storage location leaked more than 11 million records containing patient contact information and upcoming appointment dates.
Organizations should prioritize formulating comprehensive data retention strategies and contingency plans. It is critical to conduct comprehensive security assessments of the architecture of their cloud-deployed and publicly accessible applications. Resilient cloud-based solutions tailored to quickly combat ransomware attacks and facilitate the rapid return to normal business operations protect both business operations and patient interests.
2. Eliminating unpatched device risks
A healthcare system consists of multiple devices, from laptops to MRIs to patient monitors. An IT team is responsible for protecting each of these endpoints, as well as the various software programs of electronic health records and insurance payment systems. This amounts to thousands, if not millions, of entry points that an attacker could target. Updating older systems and identifying unpatched legacy vulnerabilities should be one of the first steps. Teams can create a comprehensive governance program to find and fix these areas, prioritized by risk level.
Failure to update security practices and programs results in disastrous ransomware attacks, as we saw earlier in 2024 with Change Healthcare. According to testimony before Congress, the attack – which leaked thousands of patient records – was due to the lack of multi-factor authentication (MFA) on certain servers, a vulnerability that could have been detected.
3. Stopping malicious insider threats
Implementing enhanced security operations based on the principles of zero trust, such as segmentation, identity and behavior, will prevent threats from coming from within the network.
It also proactively stops any threats that have breached the initial line of defense. These threats can also take the form of partnerships with third-party vendors. The Department of Health and Human Services Health Sector Cybersecurity Coordination Center has warned organizations about a vulnerability in the file transfer program MOVEit. Russian cyber attackers targeted this platform in 2023, where millions of records were made public. CISOs must ensure that each vendor has passed HIPAA audits and achieved HITRUST certification before deploying any services.
4. Ensuring regulatory compliance
There are several rules and compliance points that a healthcare organization must follow regarding patient data. Because every country has different regulations, it is a challenge to stay informed. Furthermore, new devices, software or digital transformation projects will bring a new set of risks. By working with a healthcare advisory partner that can monitor risks and regulatory changes, the security framework can be kept tight.
For example, Kaiser Permanente announced a data breach in April 2024 that affected more than 13 million Americans. While not considered a typical breach, patient data was shared with third-party advertisers due to improper tracking code that tracked website usage and navigation. Consulting partners can help CISOs better monitor and audit IT systems and uncover these issues.
5. Adopt new technologies
GenAI is the latest technology that every organization wants to incorporate into their technology stack. Previously, companies took their time in adopting new technologies, but the popularity of GenAI allows for faster implementations without full attention.
In healthcare, using AI is both a risk and a benefit. On the positive side, it improves the cybersecurity framework, with issues being proactively monitored and flagged. Repetitive tasks can be automated, allowing the CISO and security team to perform other tasks to strengthen the cybersecurity framework. However, it must be said that AI also brings risks to an organization. Hackers use AI to refine phishing scams, generate more sophisticated attacks, and create deep-dive fake threats. When selecting GenAI solutions, it is best to choose solutions that monitor quality and trust and are built specifically for healthcare.
Furthermore, if an employee uses AI tools that are not approved by the security team, this exposes the organization to even more risks. This shadow IT problem – usually linked to poor employee compliance with IT governance – introduces another threat surface that CISOs and their teams find difficult to pinpoint. CISOs must create a culture of security among all employees. The organizations that invest in comprehensive security training platforms see great value as employees become the first line of defense.
How one organization prevented threats
In the case of a leading oncology treatment technology provider, the company implemented a cybersecurity framework using these key steps to thwart attacks. This organization required several radiation clinics to use their own system. Instead of sending staff to each location, the provider used a cloud-based solution to protect against vulnerabilities throughout the software lifecycle. Using insights from threat modeling and previous cyber risk assessments, the team understood where there is a need to build a stronger security infrastructure.
The provider worked with partners to design and build a centralized treatment planning solution that incorporated a robust security testing framework, including static testing and third-party library assessments. The data analysis determined how to assign threat level severity and vulnerability mitigation paths. As a result, the oncology technology provider fixed more than 100 security vulnerabilities, scanned 1.5 million lines of code, and detected – and rejected – more than 250 cybersecurity threats. The implementation of the security framework, consisting of the five key elements, has successfully secured this infrastructure.
Security in the connected world
Technology has transformed healthcare. Gone are the days of paper documents and notes. Everything is online, automated and unfortunately vulnerable to security risks. When healthcare CISOs, teams and consulting partners work together, a tighter security framework is created that reduces overall cybersecurity risk. By taking these important steps, healthcare organizations can minimize attack surfaces. The result: a healthcare organization that can offer patients the right treatment on time and without disruptions or downtime.
We recommended the best encryption software.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, you can read more here: