Healthcare sector cybersecurity retrospective and the year ahead

In 2023, the healthcare industry faced an alarming surge in cyberattacks, exposing the data of tens of millions of patients. Major breaches occurred across hospitals, health systems, insurers, and vendors. Attackers compromised networks to steal sensitive patient information and deploy ransomware that disrupted operations.

These incidents had real consequences. At Manchester, Connecticut’s main hospital in August, a ransomware attack forced staff to send emergency patients to other facilities, cancel surgeries, and work without access to imaging equipment. It took over six weeks for the facility to return to normal operations. Ransomware groups attacked several major health systems as well, such as Capital Health (New Jersey) and HMG Healthcare (Texas). A cyberattack on Nashville-based HCA Healthcare, with 180 hospitals comprising 41,000 beds spread over 20 states, impacted personal data of nearly 11 million individuals - some of which was later detected for sale on dark web hacker forums. Attackers also targeted third-party vendors, like software tech company NextGen Healthcare and population health data vendor HealthEC.

Overall in 2023, more than 500 significant healthcare data breaches were reported, a figure double that of 2022. The events impacted nearly 50 US hospital systems. The 11 largest breaches impacted the health and other private information of more than 70 million patients.

Healthcare’s social contract: Ethical data stewardship and patient well-being

The magnitude of these invasions of patient privacy and disruptions of care delivery operations threatens to shatter public trust, as they extend beyond data theft. Ransomware and other cyberattacks have disrupted hospital operations, impeding patient care by rerouting ambulances and delaying critical treatments. Patients and providers are both affected: patients’ confidence in safeguards of the privacy of their intimate medical details is shaken, while providers have concerns that they cannot rely on accessible electronic records to make timely, informed care decisions. All of this jeopardises the healthcare industry’s social contract premised on ethical data stewardship and patient well-being.

As threats rapidly evolve, the healthcare sector urgently needs to prioritise (or renew focus on) cybersecurity and patient data privacy. Preventive measures such as multifactor authentication, security audits, staff training, robust incident response plans, advanced cybersecurity infrastructure, and industry partnerships are vital to maintaining solid defences in an increasingly perilous digital landscape.

The problem is hydra-headed, though: ransomware gangs weaponise increasingly advanced phishing attacks fuelled by AI to perpetrate their multifaceted criminal schemes. Once inside a provider’s network, attackers steal troves of data and deploy disruptive malware. Meanwhile, legacy systems with unpatched security flaws and inadequate operating procedures further expose the sector. The result is a vast and complex digital attack surface. Until the industry implements sweeping prevention initiatives, profit-driven hackers will continue threatening the well-being of patients and providers alike.

Prioritising cybersecurity to combat challenges

Regulations like the Health Insurance Portability and Accountability Act (HIPAA) only address baseline healthcare data privacy and security protocols. While cyber threats are becoming more sophisticated, HIPAA guidelines are not designed to keep pace with the latest types of cyberattacks or the advanced techniques used by cybercriminals.

And HIPAA provided little solace to the more than 70 million patients whose healthcare records were compromised last year.

As innovation outpaces policy, balancing access, efficiency, and privacy has proven challenging. A cyberattack on telehealth company Cerebral resulted in exposure of the personal information of more than 3 million patients via website trackers, demonstrating that policy has not evolved to cover novel care delivery technologies and data sharing practices. Few regulations govern third-party apps and medical devices either, and vulnerabilities proliferate. While not intended to address future threats, existing policies must be continuously re-evaluated and reinforced to secure increasingly complex, integrated systems.

Human mistakes play a sizable role in healthcare data breaches. Industry research indicates that 95% of cybersecurity incidents involve an element of human error, such as falling for phishing, misconfiguring systems, or neglecting authentication best practices. These errors allow nearly two-thirds of healthcare breaches. Staff lacking security knowledge, overloaded from strain, or rushing through workflows enable threat pathways that sophisticated hackers exploit. But even up-to-date policies cannot completely account for predictable mistakes amid busy clinical environments.

Regular and engaging cybersecurity and privacy training is thus essential for healthcare facilities and their partners to reinforce good data control hygiene and security consciousness. Research confirms that simulated anti-phishing programs keep breach numbers lower at trained organisations. Proactively identifying and mitigating compliance gaps via audits is also increasingly vital. With threat sophistication scaling dramatically, healthcare must meet the threat with multi-layered human and systemic readiness.

Future threats: AI, deep fakes, and automated ransomware

In 2024, the healthcare sector remains dangerously exposed to escalating and sophisticated cyberattacks seeking to compromise critical systems and steal sensitive patient data. Key threats include phishing attacks, ransomware, data breaches from third parties, and disruption from distributed-denial-of-service (DDoS) attacks.

Phishing ploys aimed at manipulating staff into clicking malicious links are simple, yet devastatingly effective, granting access for follow-on malware insertion. And with generative AI tools widely accessible, ready command of the victim’s language is no longer an obstacle. The next big thing? Deep fakes - simulated voice and video phishing designed to dupe data keepers into loosening security.

Ransomware attacks are increasingly automated and profitable, and healthcare is a prime target for digital smash-and-grab crime. Breaches via third-party vendors with lax security are also rampant, given the industry’s vast and complex digital ecosystems. And DDoS attacks threaten to disrupt operations by flooding networks and taking critical systems offline.

Exacerbating these threats is the prevalent use of connected, but unsecured, Internet of Things (IoT) medical devices, which also presents challenges for compliance with security frameworks like HIPAA. Meanwhile, legacy systems containing outdated software present prime technical vulnerabilities waiting to be exploited.

And a final word on AI. AI will be used in healthcare cybersecurity to enable efficient detection and response to cyber threats by analysing vast data volumes and identifying attack patterns. However, there is a genuine risk of cybercriminals developing AI-driven attacks. For example, cybercriminals are already using AI algorithms to generate large-scale phishing email campaigns that are highly personalised and convincing. These projects analyse vast amounts of data from social media and other public sources to tailor phishing messages that appear to be from trusted sources. Such attacks are more effective than traditional phishing, due to their personalised and adaptable nature, resulting in enhanced threats to cybersecurity defences.

To manage escalating risks in 2024, healthcare organisations must implement comprehensive incident response plans and access control measures, such as multifactor authentication, robust network monitoring, enhanced endpoint security, third-party risk assessments, and mandatory cybersecurity awareness training for all staff. They must also adopt or further develop advanced defensive tools and partner with cybersecurity specialists. A proactive and resilient security posture is essential as threats evolve at a pace far outpacing patient well-being and privacy considerations.