The healthcare industry is a prime target for cyberattacks due to the significant value of medical data and the critical nature of patient care. Unlike other sectors, healthcare organizations must balance cybersecurity with the need for immediate access to life-saving information.
Ransomware attacks, in particular, have surged, with cybercriminals exploiting outdated systems, unpatched vulnerabilities, and human error to disrupt operations. A single breach can not only compromise patient privacy but also delay urgent treatments, putting lives at risk.
This is where the human component comes in: when we are at our most vulnerable due to illness or disease, and the systems we depend on to survive are under attack, there is a compelling basis to make that attack go away by whatever means necessary. This makes digital hygiene - regular software updates, employee training, and strong access controls - not just a security priority but a fundamental patient safety issue.
In short, it is a matter of life and death.
Hospitals Are Special Magnets for IoT Attacks
Hospitals and healthcare providers face unique cybersecurity challenges, including the widespread use of legacy systems, interconnected medical devices, and stringent regulatory requirements. Attackers increasingly use phishing, supply chain exploits, and AI-driven threats to infiltrate networks, often leading to massive data breaches and regulatory penalties.
We only need to consider the implications of the recent supply chain attack on pagers and walkie-talkies in Lebanon to understand the potential implications for medical devices across their supply chain.
In an analysis of software vulnerabilities related to health systems, researchers revealed “electronic health records, wireless infusion pumps, endoscope cameras, and radiology information systems as the most vulnerable.” As the US Department of Health and Human Services (HHS) noted in an official publication, “If compromised, connected devices such as Magnetic Resonance Imaging (MRI), Positron Emission Tomography (PET) scans, vital sign monitors, etc. can be an attack vector,” ultimately putting patients’ lives at risk.
Cyber Threats to Healthcare at Large
Compliance frameworks like HIPAA and GDPR set strict guidelines for protecting patient information, but many organizations struggle to keep up with evolving threats. In this way, healthcare organizations share some of the challenges that other industries face. It is hard for me to think of a time when the need for robust identity and access management, supply chain protection, and proactive threat detection in healthcare has been more urgent than it is right now.
Last year, it was cited as “annus horribilis” for healthcare data breaches by The HIPAA Journal. It saw the largest healthcare data breach on record, the ransomware attack on Change Healthcare patients, which compromised and encrypted the protected health information (PHI) of 100 million individuals. According to The HIPAA Journal, there were an unlucky 13 healthcare data breaches affecting over 1 million people last year, with nearly 147 million records being breached. It is interesting to note the cause and impact of each one:
Change Healthcare (100 million individuals) | BlackCat/ALPHV ransomware attack
Kaiser Foundation Health Plan (13.4 million individuals) | Tracking technologies on authenticated web pages
Ascension Health (500 individuals) | Black Basta ransomware attack
HealthEquity (4.3 million individuals) | Credential attack on a third-party device
Concentra (9.3 million individuals) | Third-party cyberattack
Medicare and Medicaid (3 million individuals) | Zero-day vulnerability in file transfer software
Acadian Ambulance (2.9 million individuals) | Daixin Team ransomware attack
Sav-Rx (2.8 million individuals) | Ransomware attack (with ransom paid)
WebTPA (2.5 million individuals) | Embedded threat actor exfiltrating data for 8 months
Integris Health (2.4 million individuals) | Hunters International data theft and extortion attack. These attackers even contacted patients directly, charging them $50 to have their PHI permanently deleted).
American Vision Partners (2.4 million individuals) | Unauthorized access and exfiltration attack
Summit Pathology (1.8 million individuals) | Medusa ransomware attack
Geisinger (1.3 million individuals) | Insider attack: unrevoked login credentials
It is interesting to note the prevalence of ransomware attacks in this lineup, and the Journal notes that in eight of these cases, third parties (“business associates”) were involved. And missing the lineup by a few hundred thousand is this recent cyberattack on a French hospital, in which the records of 75,000 people were compromised due to faulty access controls on a vital patient records system.
These “mundane” but impactful healthcare cybersecurity events reflect what Kevin Fu, director of the security and privacy lab at the University of Michigan, noted: “You'll see a lot of attention to some fairly dramatic events involving what some might call hacking medical devices. But I think the real emerging issues are a little bit more mundane but have greater impact.” He explains that “[if] a medical device, let's say a bedside monitor, gets infected with a computer virus, then that device can... break and therefore not be available to give patient care."
How Healthcare is Fighting Back
To combat these growing threats, healthcare organizations are investing in cybersecurity initiatives such as endpoint protection, network segmentation, and AI-augmented threat detection. Incident response plans are being refined to minimize downtime and ensure redundant systems are available in the event of an attack, while partnerships with cybersecurity firms can help bolster and amplify defenses.
To combat these threats, the HHS proposed new cybersecurity requirements (in the form of an update to the HIPAA Security Rule) for healthcare providers in the US. These new security measures would include, among other things:
Routine vulnerability scans
Anti-malware protection
Data encryption
Multi-factor authentication (MFA)
Data backup and recovery
Network segmentation
And more.
Changing the Mindset
However, the most effective strategy remains a cultural shift - embedding cybersecurity awareness into every level of the organization. Even with all of the incredible defensive technologies we have, our people remain the ultimate security control in my view. With patient trust and lives literally on the line, healthcare should view digital hygiene at the same level as it prioritizes medical hygiene, ensuring both data and individuals remain protected.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.
