Cybersecurity and Healthcare: Why the Industry Must be Vigilant About New Vulnerabilities

By Hilton Hudson, MD, FACS

For any hospital or health system executive still wondering if a cyberattack has the potential to strike your digital infrastructure in 2024, the news might come as a shock: It’s not a question of “if,” but “when.”

In response to more frequent and sophisticated threats, the Department of Health and Human Services (HHS) updated its Healthcare Sector Cybersecurity guidelines in December. HHS noted a 93% increase in large data breaches from 2018 to 2022 (369 to 712), with a 278% increase in large breaches involving ransomware during the same five-year period. As one of the largest industries in the U.S. by money spent and commercial profits, healthcare is particularly vulnerable to large data breaches—especially considering its reliance on technology and its vast troves of sensitive customer data.

Across the country, healthcare executives are meeting with the FBI and taking extra security measures within their IT systems. Outsourcing and off-shoring IT governance is falling out of favor as an industry practice. Budgets are tight, but hospitals and health systems are expected to pour more internal resources into revamping their IT security in 2024 than ever before.

Fortunately, some of the most effective solutions are also the least sophisticated and costly. Employees and ex-employees who gain unauthorized access to patients’ electronic medical records pose a security threat. Reducing that threat can be as simple as requiring all clinicians to log out of any device they are logged into once they’re done looking at the screen, whether working on-site or off. Switching to enhanced login protocols―requiring two- or three-factor authentication, for example―are just as important.

These protocols protect employees as well as patients. Experienced hackers can access the human resources files of a logged-in employee, potentially rerouting their direct deposits by inputting false bank account numbers, among other means of identity theft.

Patients, of course, are the focal point of protective measures against healthcare cyberattacks. The December memo from HHS described the myriad consequences of cyberattacks on patient care: “Cyber incidents affecting hospitals and health systems have led to extended care disruptions caused by multi-week outages; patient diversion to other facilities; and strain on acute care provisioning and capacity, causing canceled medical appointments, non-rendered services, and delayed medical procedures (particularly elective procedures). More importantly, they put patients’ safety at risk and impact local and surrounding communities that depend on the availability of the local emergency department, radiology unit, or cancer center for life-saving care.”

Finally, there’s the risk cyberattacks pose to organizations themselves. The scope is potentially enormous.

In 2023, more than 540 organizations and 112 million individuals were affected by healthcare data breaches reported to the HHS Office for Civil Rights (OCR), compared to 590 organizations and 48.6 million impacted individuals in 2022. detailed the 10 largest breaches. The victims included medical and dental care providers, benefits administrators, mental telehealth specialists, a pharmacy network, a healthcare SaaS company, and a medical transcription service. The collateral damage included ransom demands, lost business, and investigations by state regulators.

In each case, the affected organization enhanced its security protocols in response to the breach. The best practice, of course, is to enhance your organization’s security before any hackers break through.

To that end, local control over your IT systems is becoming increasingly preferred as a means of defense. If you do outsource, choose a highly vetted U.S.-based company. The upfront cost might be higher compared to a competitor located overseas, but the investment is justified. A multimillion-dollar ransom demand from a hacker is far more costly.

The next year will be telling. If the industry learns its lessons from the costly, high-profile security breaches of 2023, these stories will have served their purpose as cautionary tales. If not, 2023 will be remembered as a mere precursor to 2024, a warning cry left unheeded.

Hilton M. Hudson, MD, FACS, is a board-certified cardiothoracic surgeon and the Chief of Cardiothoracic Surgery at Franciscan’s Michigan City and Olympia Fields health systems. He is also the CEO of HPC International, the leading educational purchased services supplier for healthcare, corporations, and academic institutions.