Experts warn about the growing dangers of criminals using AI and deepfakes to target hospitals and healthcare organizations.
Hundreds of cyberattacks involving healthcare organizations have been reported this year, and there’s still more than a quarter of the year remaining.
More than 400 data breaches involving private health information have taken place since the start of 2023, according to the U.S. Department of Health and Human Services.
Analysts project this could be a record-setting year in terms of the number of victims. More than 40 million Americans were affected by breaches during the first half of the year, according to Critical Insight, a cybersecurity firm. More hospitals have been victims of ransomware attacks, including large systems such as HCA Healthcare and CommonSpirit Health.
Even with those dire signs about the dangers of cyberattacks, experts warn that health systems will face new and emerging threats in the years to come.
Several cybersecurity leaders who spoke with Chief Healthcare Executive® point to the development of artificial intelligence as a looming danger. They point to AI in the development of more sophisticated phishing emails and technology to impersonate executives.
Steve Cagle, the CEO of Clearwater, a cybersecurity firm, is among those who see AI as an emerging danger.
"I think we're at the very early stages of what we're going to see from a cybersecurity perspective,” Cagle says.
Experts predict other looming threats are on the horizon, and they stress the importance of healthcare leaders focusing on cybersecurity in the coming years. Bad actors will employ new technology and new tactics, especially if they see previous approaches prove to be less successful.
(Cybersecurity experts discuss emerging threats in this video. The story continues below.)
Mike Britton, chief information security officer of Abnormal Security, says he’s concerned about cybercriminals using generative AI to go after hospitals.
“I think the rise of AI and generative AI is absolutely a looming threat, not just for healthcare, but for all organizations,” Britton tells Chief Healthcare Executive®.
Britton says that criminals can use AI to send automated emails, and AI-generated responses can pull more information from people or systems that they are targeting. Eventually, those AI-responses can eventually coax victims into providing private information, including bank account information.
“At that point, the live person comes on, takes your money and the scam is over,” Britton says.
Many attackers continue to use email-based attacks, which can yield high returns with relatively low effort, he says. But while Britton says AI-enabled attacks aren’t widespread, they aren’t theoretical, either.
“We're not seeing it on a large scale, but we do see generative AI messages being used by attackers,” Britton says. “So it's there, it's happening.”
At a panel during the HIMSS Global Health Conference & Exhibition in April, cybersecurity experts said hospitals will need to prepare for AI-powered cyberattacks.
Adam Zoller, chief information security officer for the Providence health system, said at the conference that he thinks it’s inevitable that criminals will use AI to attack hospitals and healthcare organizations.
“Within the next couple of years, we're gonna see AI-operated ransomware, AI-operated malware that automatically gets into your systems and automatically finds exploitable vulnerabilities,” Zoller said.
Cybersecurity leaders say they’re concerned with bad actors using AI tools that can probe an organization’s vulnerabilities, and can learn from mistakes.
“There's certainly opportunities for threat actors to use artificial intelligence to advance their own attacks,” Cagle says. “So they can use it to generate code for malware. They can use it to learn the defenses of a security program and adjust accordingly. And they can use it to execute phishing attacks.”
At the same time, Cagle and cybersecurity experts point out that hospitals and healthcare organizations can utilize AI to improve their own defenses, identify vulnerabilities and repel intruders.
“Artificial intelligence has been used by cybersecurity vendors and technologies for quite some time now to help in improving defense, by becoming more efficient, more agile,” Cagle says.
But he notes that AI is a double-edge sword, creating new opportunities for improved defenses and more sophisticated attacks.
“It’s going to be a bit of a battle as time goes on to see who can win the AI race,” Cagle says.
Cybersecurity experts point to the possibility of attackers using “deepfakes” to impersonate executives and leaders.
Potentially, actors could send fake audio or even video of an executive telling employees to send money to a specific account, among other disturbing possibilities.
The federal government issued a warning about the growing threat of deepfakes earlier this month. The advisory cited a host of fake videos, including one depicting Ukrainian President Volodomyr Zelenskyy telling his nation to surrender to Russia.
“All these technologies that are able to fake people's voices, and are able to fake people's images and so on, I think that's going to be a major problem,” says Limor Kessem, a senior cybersecurity consultant for IBM Security.
John Riggi, the American Hospital Association's national advisor for cybersecurity and risk, said health systems need to be mindful of the threat of deepfakes.
“At this time, there does not appear to be widespread use of deepfakes targeting health care, but we should maintain vigilance and promote awareness in the workforce,” Riggi said in a statement earlier this month.
Lee Kim, senior principal for cybersecurity and privacy at HIMSS, said in a December interview with Chief Healthcare Executive that she sees growing potential for the use of deepfakes, as more leaders meet virtually or connect with their teams via video.
“Deepfakes, I predict, will make a significant entry point into healthcare as well as other industries,” Kim said.
Focusing on records
Criminal groups are also changing some of their strategies recently, analysts say.
Instead of trying to penetrate a hospital or medical group, some bad actors are focusing on getting access to electronic health records. They’re trying to get into insurers or other companies that work extensively with health organizations. Such an attack could yield private health information on millions of people.
“They're going to a hospital chain, or a service provider that serves up records, so that they can minimize that effort,” Hamilton says. “And they're starting to be very successful doing this.”
A cyberattack on MCNA, a dental insurer, affected more than 8.8 million Americans, according to the U.S. Department of Health and Human Services. A pharmacy services firm, PharMerica said in a statement it was hit with a cyberattack in March, and the breach has affected more than 5.8 million Americans.
Hamilton said there are more attacks aimed at insurers and other vendors.
“The combination of healthcare and fintech makes those especially juicy targets,” Hamilton says.
Health systems are vulnerable to attacks aimed at their vendors. Nick Hyatt, the practice manager for Optiv's Global Threat Intelligence Center, says hospitals should be asking their vendors about their cybersecurity capabilities.
“When you're bringing on a new vendor, or when you're bringing on a new piece of software, what does their security look like? I think people forget to ask those questions sometimes,” Hyatt tells Chief Healthcare Executive.
Even if the breach involves a vulnerability outside the hospital’s control, that’s of small comfort. “You're on the hook for whatever happened. So you do have to start asking those tough questions,” Hyatt says.
The confluence of state actors, activists and criminal groups is worth watching, says Mike Hamilton, chief information security officer of Critical Insight.
“Geopolitically the world is really weird right now. And it's really hard to determine who is who. And so there's nation-state activity that's hiding behind either the criminal or the activist guys. There are actual activists out there that will just take something down for a cause,” he says.
Hamilton said recent layoffs in cybersecurity companies could create future problems.
“When you create a whole bunch of unemployed people with skills, they might go to the dark side,” Hamilton says. “So you know, that's a situation I think we need to watch.”
Some hospitals and healthcare organizations have said they’ve struggled to recruit and retain talented cybersecurity professionals, because other sectors offer better pay.
More organizations have defenses aimed at blocking phishing emails and are using multi-factor authentication, such as asking for users to utilize a password and another step, such as a code sent to their phone. So attackers aren’t simply relying on emails, experts say.
Some attackers are sending text messages with links, hoping for a response, Hamilton notes.
More than ever, healthcare leaders must be focusing on cybersecurity and ensuring that it is a top priority throughout their organizations, experts say.
Hospital organizations also need to understand that just as bad actors are evolving, they need to constantly look to improve their cybersecurity defenses. Hospitals need to consider the risk to patients and the cost of cyberattacks, both financially and to their reputation.
Britton of Abnormal Security says defenses that may have proven effective in the past are probably not going to succeed today, or in the future.
“What got you here is not what's going to carry you forward because technology tactics have changed,” Britton says.