From life-saving to life-threatening: The cybersecurity crisis in healthcare

As pernicious attacks increase, the industry faces an imperative to introduce strategies for warding off bad actors

The healthcare industry is a primary target for cybercriminals due to its massive repositories of sensitive patient information and widespread adoption of digital technologies. In 2023, for the 13th year in a row, it experienced the most costly data breaches of any other sector globally, averaging close to $11 million per breach—almost twice as much as the financial industry, according to the World Bank. The impact can be devastating to both patient care operations and the very survival of a hard-hit institution. St. Margaret's Hospital in Spring Valley, Illinois, for example, permanently shut down operations in 2023, in part due to a cyberattack that took place in 2021.

At the same time, industry executives often fail to take consistent, aggressive steps to address these threats when other priorities take over. But the magnitude of the problem calls for a comprehensive, sophisticated effort to guard against the most prevalent and consequential threats they might face. Each successive breach of a healthcare institution only further underscores the need to focus on cybersecurity controls to safeguard patient care operations and protect and preserve business value.

While healthcare companies face a plethora of cyberthreats, there are five particularly prevalent and destructive examples of note.

1. Ransomware

A type of malware, ransomware permanently shuts down access to a victim's data unless a ransom is paid. So far this year, 91% of healthcare data breaches have involved ransomware. What’s more, threat actors continue to adapt to the changing technical landscape with new tools, techniques, and procedures (TTPs), the processes and actions used to develop threats and engage in cyberattacks.

Noteworthy ransomware attacks in 2024 included:

• A ransomware attack in February on healthcare technology company Change Healthcare exposed the information of more than one-third of all Americans, rendering the platform unavailable for over a month and impacting payments and revenue lifecycle.
• An April ransomware event by group LockBit3.0 targeted the Simone Veil Hospital in Cannes. This event resulted in the theft of 61GB of data.
• One month later, a file download triggered a ransomware attack on faith-based healthcare organization Ascension. Its electronic medical record system was affected for one month. 

There are a few areas of controls to reduce ransomware risks, including a ransomware assessment and incident response plan, performing purple team exercises, continuing backup resilience, and implementing Zero Trust principles and furthering microsegmentation.

2. IoT and cloud devices

As organizations continue to shift their operations to the cloud, they’ve become more vulnerable to the exploitation of that technology by bad actors. That’s especially true for opportunities created by Internet of Things (IoT) systems. These interconnected devices, which use multiple sensors, offer healthcare institutions additional metrics, analytics, and reporting, but they also create device security considerations. An exposed Internet port, for example, or a misconfiguration on an external server or IoT device, may provide an avenue of entry for a persistent threat actor. In 2023, a report showed a 400% increase in malware IoT attacks, demonstrating the need for continued focus on IoT security.

To protect themselves, organizations must review asset management capabilities to ensure asset protection, automated discovery of assets, reconciliation, and periodic review and assessment of configurations. These will help an organization understand assets living within the environment, protection capabilities surrounding these assets, and whether further protection is needed.

3. Insider threat

Employees and contractors operating within a healthcare organization who have access to sensitive IP and protected health information (PHI) data may be able to exfiltrate the data or otherwise cause intentional or unintentional harm to the institution’s assets. Such attacks can potentially impact patient care and result in reputational and HIPAA compliance risks to an organization. These threats have increased 7.9% year-over-year, with the average cost of insider risk at $16.2 million, according to a 2023 Ponemon report.

Employee monitoring, awareness training, data security, and regular background checks serve as controls to protect from threats and provide insights into user behavior, as well as the potential risk level of particular employees.

4. Hacktivism

This involves a cyberattack on a particular entity or sector by a group of individuals aiming to spread a political message, usually in times of conflict. For example, in January 2023, a pro-Russian hacktivist group named Killnet targeted 14 U.S. healthcare organizations with distributed denial of service (DDoS) attacks, which disrupt a website or server by flooding it with excessive traffic, after officials sent additional military aid to Ukraine.

In October 2023, in response to the rise of hacktivism in recent years, the European Union Agency for Cybersecurity (ENISA) reported a set of recommended actions to counter the increase in DDoS attacks against the healthcare industry, such as a redundant backup strategy, scanning and addressing vulnerabilities, and improvement of detections. Additionally, AlixPartners would recommend a “well-architected" infrastructure review that focuses on core infrastructure pillars to ensure continued resilience against common and emerging threats.

5. Weaponization of AI

When AI is used alongside another threat vector, it may be weaponized to increase the success rate of an attack. For example, bad actors can ask Generative AI to ingest the writing style of a particular public-facing company spokesperson and then craft an email to send to a target. Such instances of business email compromise increased 46% from 2022 to 2023, according to a report by Ponemon Sullivan. Generative AI may also be used to spread misinformation or disinformation by, for instance, producing articles and deepfake videos on controversial medical topics.

Without tools or training to help internal users and the general population learn how to defend themselves against these attacks, they may fall victim to them. Cybersecurity teams should perform regular tests to understand the organization’s ability to identify and respond to such attacks, and consider focusing on higher-risk group areas that may be more susceptible to these threats, including executive leadership and administrators. This may include deployment of tools that report to the user a warning of potential malicious AI usage, and a reporting mechanism for further validation.

An urgent need to plan ahead

As cyberattacks increase, healthcare organizations face an urgent imperative: to consider these vulnerabilities as part of a cybersecurity strategy and create a plan for the upcoming year to reduce risks from persisting threats. To quickly address this need, healthcare organizations must focus on implementing or enhancing core Cybersecurity program pillars, such as data security, resiliency and response, access control, network security, third-party risk management, and regulatory and compliance. 

AlixPartners has a playbook to develop a bespoke solution that addresses healthcare cybersecurity needs, bringing in inputs from environment, process, and manpower, and tailoring an output focused directly on high impact quick wins as part of a go-forward strategy. Organizations may begin by ensuring assets and data are accounted for, then stepping through controls against a common healthcare cybersecurity framework like HITRUST to ensure compliance with controls. A focus on rapid risk reduction and addressing the impact of these threats can help organizations continue to provide quality patient care, meet and preserve their business objectives, regulatory and compliance goals, along with optimization and value creation efforts.