Digital Invasion

Reducing risk amid a swarm of cyberthreats

The healthcare industry continues to be a high-value target for cybercriminals due to the potential for operational disruption. Cybersecurity experts predict the threat will remain high for the foreseeable future. With connected technology embedded across the healthcare ecosystem—from phones and medical devices to supplier networks—the industry is especially vulnerable to cyberattacks, says Matthew Webb, AVP, Cyber Risk Management, HCA Healthcare. “Healthcare continues to grow with so many more players, so the attack surface is more conspicuous than it ever has been,” he explains.

Rather than new kinds of threats, it’s phishing and ransomware attacks that providers must remain diligent in avoiding, says HealthTrust’s Director of Security Sourcing, Marc Sammons. “Today, there are even more people conducting attacks, and there are actually national cyber organizations targeting different supply chain infrastructures with perpetrators looking to disrupt operations and extort money from the companies they victimize.”

Even if not the primary target, hospitals and health systems are still affected by cyberattacks. Webb and Sammons refer to a 2024 attack on a major blood supplier in Florida. Its system was compromised; its ability to deliver was jeopardized; and without blood flowing into the health system’s supply, emergency services were delayed and surgeries were postponed.

Mitigating risk

Technology evolves constantly, so hospitals and health systems need to maintain basic security hygiene and take steps to be as resilient as possible.

Webb and Sammons share four best practices for foundational cybersecurity:

• Patches are routinely updated on all systems
• Complex passwords are in place; leverage multifactor authentication where possible
• Colleagues are educated to be cautious with email links and attachments; they should verify suspicious emails by contacting the senders directly
• Systems are backed up so there are “backups of the backups” should you need to rebuild

To bolster resiliency, Webb and Sammons recommend regularly testing your systems and conducting tabletop exercises to work through what would happen in various scenarios. “While it is hard to carve out time to do tabletop exercises, it’s advantageous to ensure you’re ready before an event happens,” says Sammons. (See sidebar on page 56.)

Another resilience approach involves giving suppliers limited system access to monitor or service their own equipment, says Sammons. If you go that route, be certain you understand what their security capabilities are and ensure that how they manage their equipment in your system is done as securely as possible.

Potential policy changes on the horizon

When evaluating security capabilities, it’s important to be aware of potential changes that could occur to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009, says Josh Lewis, Director of Risk Governance & Reporting for HCA Healthcare.

Proposed changes from the Department of Health and Human Services would alter requirements for your electronic health information inventory and introduce new rules for business associate agreements—both potentially requiring contract renegotiations.

The comment period for the rule closed in March 2025. As of late July, no formal decision had been made. “If they do release the final rule, the industry will have 240 days to be in compliance,” Lewis says.

 

Share This Article:

Share Email Cybersecurity, interoperability, Q3 2025, Risk mitigation