Hospitals face evolving threats from cyberattacks | Data Book podcast

Hospitals and health systems have been struck by scores of cyberattacks, and Michael Hamilton says 2023 has been the worst year ever in terms of the number of people affected by health data breaches.

Hamilton is the founder and chief information security officer of Critical Insight, a cybersecurity firm. In the latest episode of the Data Book podcast presented by Chief Healthcare Executive®, Hamilton discusses the difficulties hospitals and healthcare organizations face in cybersecurity.

Hamilton notes that even though the number of individuals affected has scored, the number of organizations that have suffered breaches has remained fairly stable. He notes that attackers are increasingly trying to get into health systems by accessing vendors and partners.

“There is an increasing focus on coming in through a third party,” Hamilton says.

“Going through a third party, which has poor controls, which may be a service provider to hospitals, large and small … that's the way that they're going, and they're really going after the records,” he says.

• Read more: Emerging cybersecurity threats in healthcare

In addition, some attackers are also moving from phishing to what he calls “vulnerability exploit,” as criminals race to find vulnerabilities in technology after they are announced and before they can be patched.

“You’ve got to get it patched before they find you, because they start looking immediately,” he says.

Hamilton also discussed the risk of cyberattacks in patient care, which is a growing concern for hospitals and health systems. Some attacks this year have impacted patient care.

Last month, Ardent Health Services disclosed a ransomware attack that affected hospitals in several states, which led to ambulances being temporarily diverted and some surgeries had to be postponed. A New York health system had to temporarily divert ambulances due to a cyberattack in October.

Given the threat to public health from attackers inside and outside the country, Hamilton says the government needs to do more to protect hospitals and patients.

“The federal government has got to get much more into this fight,” Hamilton says.

The government needs to give health systems more resources, he says.

“More funding needs to be made available to the healthcare sector,” he says. “And I think more importantly, we need to start making people available to the healthcare sector, because right now, they cannot attract and retain qualified practitioners.”

Hamilton also discusses New York’s plans to introduce cybersecurity regulations for hospitals, and he says that’s “a positive step.”

“The states, I believe, will follow New York's lead in creating nearly identical regulations,” Hamilton says.

More hospitals and healthcare organizations have suffered ransomware attacks this year. In the first half of 2023, more than 220 hospitals were affected by cyberattacks, according to the American Hospital Association.

HCA Healthcare, the nation’s largest for-profit hospital system, said in July that it suffered a cyberattack that may have affected as many as 11 million individuals.

More than 88 million individuals have been affected by breaches of private health data, a 60% increase over the previous year, the U.S. Department of Health & Human Services said last month.

Healthcare executives need to be engaged in cybersecurity, and he notes that regulatory agencies are sending the message that, “You have to lean into governance.”

• Read more: Paying the ransom: Hospitals face hard choices in cyberattacks