Cybersecurity challenges in health care remain daunting | Viewpoint

If you thought that the Change Healthcare breach would shore up healthcare’s defenses, think again.

Cybercrime is now the equivalent of the world’s third largest GDP, behind only the U.S. and China. That’s nearly $10 trillion that’s going each year into the coffers of sophisticated cybercriminals and nation-state attackers.

In 2024, the number of breaches dipped slightly but the impact worsened: 273 million patient records were exposed. The Change Healthcare breach added 90 million records to that total, affecting nearly one-third of the U.S. population. Because of the Change fiasco, clearinghouses saw an astonishing 2400% year-over-year increase in records breached. Business Associates (BAs) accounted for 67% of compromised records.

Most healthcare organizations are still struggling to find the cybersecurity budget and staffing to succeed. The primary reasons include:

Human capital shortage – There aren’t enough trained cyber professionals to fill critical roles.

Budget constraints – Healthcare organizations continue to underfund cybersecurity initiatives despite rising breach costs. That’s why it’s so easy for other organizations to poach your top talent. Your organization can’t keep doing more with less, unless you dramatically change how you invest and operate. Outsourcing and smarter deployment of cybersecurity tools aren’t luxuries anymore.

Tool underutilization – Many organizations invest in cybersecurity tools, but never fully implement them. The industry is littered with unconfigured tools, half-deployed platforms and neglected dashboards.

Rapidly evolving threats – Cybercriminals are constantly probing for soft spots in healthcare’s defense systems. While malware and phishing remain the top attack vectors in healthcare, AI-powered attacks, zero-day exploits and stealthy breaches are dramatically raising the stakes.

The Keys To Victory

Here are some important steps every healthcare organization should take to vanquish cybercriminals.

Assess third-party risks – Third parties continue to be the Achilles heel in healthcare. Many organizations lack a complete inventory of their vendors, making risk management nearly impossible. Every organization must exercise due diligence when it comes to third-party contract language and security verification.

Remember that AI involves risks, not just innovation – Artificial intelligence is both transformative and risky. While some AI platforms enhance threat detection, others clearly overpromise. It’s important to carefully vet AI solutions and reassess your stack regularly using the MITRE ATT&CK framework.

Evaluate your IoMT and data exposure – Legacy data on servers and email systems creates significant risk. The best safeguards include data purging, encryption and robust data governance.

Anticipate insurance and regulation challenges – It’s important for healthcare organizations to prudently budget for rising cyber-insurance costs. Regulatory enforcement is also stiffening. Strict mandates like the one in New York are becoming more commonplace – and federal regulatory efforts are aligning via HHS initiatives.

Build a culture of security – Cybersecurity is an organizational responsibility that every clinician and employee should take seriously. Don’t give your board members dry stats about cybersecurity. Share success stories about how employee vigilance has thwarted breaches of all types. To maintain a culture of accountability, your staff should receive continuous training in cybersecurity best practices.

It's no secret that cyber-criminals are attacking healthcare at roughly twice the rate of other public-facing industries.

The two most important initiatives to pursue this year are an exhaustive inventory of third-party vendors and their vulnerabilities and an enterprise-wide assessment of the cybersecurity tools and platforms you already own. Vetting your allies and utilizing every tool you currently possess can help your organization achieve more without spending more.

Jason Stewart is manager of vCISO services at Fortified Health Security in Brentwood, Tennessee.