A Look at 2024’s Health Care Cybersecurity Challenges

With 386 health care cyber-attacks reported thus far in 2024, data-theft crimes and ransomware attacks against health care and our mission-critical third-party providers appear to be unfolding at the same elevated rate as in 2023, which was the worst year ever for breaches in health care.¹ The scope and impact of this year’s breaches, however, have been much more profound.

Ransomware attacks are not just data-theft or financial crimes, they are threat-to-life crimes. And they are not just an IT issue, but a risk to every function of your enterprise. They are designed to shut down vital systems and cause maximum delay and disruption to patient care. They not only threaten the safety of patients in the hospital, but their effects cascade throughout the entire community and every hospital, clinic and emergency department in the surrounding region — what I call the blast radius.

A perfect example of the blast radius effect is the far-reaching and lingering impact of the February attack on Change Healthcare, a third-party provider.

Attacks on Third-Party Health Care Service Providers and Suppliers Are Rising

The ransomware attack on United HealthGroup’s subsidiary Change Healthcare impacted every hospital in the country in one way or another and was the most significant and consequential cyberattack in U.S. health care history. Change Healthcare is the predominant source of more than 100 critical functions that keep the health care system operating, including management of clinical criteria used to authorize patient care and coverage, claims processing, and prescription drug processing. As a result of the shutdown to Change Healthcare’s operations, patients struggled to get timely access to care, and billions of dollars stopped flowing to providers. This attack has shone a spotlight on third-party attacks and the need for health care organizations to prepare their business and clinical continuity procedures now for an extended loss of services caused by future cyberattacks.

Attacks like these indicate that we will see a continued rise in the number of individuals affected by attacks on health care third-party business associates, a number that jumped by 287% from 2022 to 2023.² Learn more about the rise of ransomware attacks on third parties in my previous blog.

Collaboration Emerging Between Hostile Nation-States and Ransomware Attackers

New threats are on the horizon. We are beginning to see more instances of international cooperation between nation-state-sponsored hackers and ransomware groups from other countries. In late August, for example, Iranian-based cyber actors leveraged unauthorized network access to U.S. organizations for espionage reasons, including to health care organizations, to facilitate and profit from ransomware attacks by Russian-affiliated ransomware gangs.

Geopolitical Risks Continue

Geopolitical risks threaten the health care sector’s cybersecurity, with ransomware attacks typically originating in countries like Russia, China, North Korea and Iran, often with tacit permission from their host governments. Defense alone will not deter our cyber adversaries. Nor can hospitals tackle this complex problem on their own.

Working with our allies, the federal government must go on the offensive, making it a priority to disrupt cybercriminals before the attack. And it must do more to assist when an attack does occur, by disseminating threat intelligence, and by providing a whole-of-government response that leans on law enforcement, legislative, military and intelligence capabilities.

New Regulations Aimed at Strengthening Cybersecurity

The Department of Health and Human Services (HHS) has created a set of voluntary Cybersecurity Performance Goals (CPG) in cooperation with the Healthcare and Public Health (HPH) sector to encourage the implementation of high-impact cybersecurity practices to help organizations better prepare for and mitigate cyberthreats. The CPGs are designed to defend against the most common tactics used by cyber adversaries to attack health care and related third parties, such as exploitation of known technical vulnerabilities, phishing emails and stolen credentials. The AHA helped draft these CPGs and we have strongly advocated that they must apply to third-party technology providers and business associates as well. HHS also has recently indicated that it is working on specific oversight policies for third-party vendors.

Visit the AHA’s new Cybersecurity Support webpage to learn more about how the AHA’s cybersecurity provider partners, including Microsoft, Google, AON, Censinet, Critical Insight and Cylera, are providing dedicated resources and special offerings to help your organization meet the HHS Cybersecurity Performance Goals.

The AHA Is Here to Support Your Health Care Cybersecurity Efforts

Learn how I and my team can advise and assist in mitigating the many cyber and physical risks your organization faces.

Plus, learn how the exclusive, highly vetted panel of service providers in our AHA Preferred Cybersecurity Provider (APCP) Program can help your organization prepare for, prevent and respond to today’s pressing cyberthreats.

¹ https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

² Broderick, Tim. "Healthcare data breaches hit new highs in 2023," Modern Healthcare, January 25, 2024. https://www.modernhealthcare.com/cybersecurity/healthcare-data-breaches-2023-anthem-lbm