As hospitals and health systems continue to face growing cybersecurity threats, hospitals and health systems must look at cybersecurity beyond just an IT issue, John Riggi, the American Hospital Association’s National Advisor for Cybersecurity and Risk, and James "Scott” Gee, Deputy National Advisor of the AHA, told Becker’s.
According to Mr. Riggi, 2024 saw one of the most significant and disruptive cybersecurity incidents in healthcare history, with a ransomware attack against Change Healthcare. This attack, which affected patient care and hospital operations nationwide, not only disrupted insurance verification, pharmacy prescriptions, and pre-authorization processes but also had lingering financial repercussions.
"Even to this day, there are hospitals that are still feeling the residual effect of delayed and interrupted payments," Mr. Riggi said.
While hospitals quickly responded to the immediate impacts, Mr. Riggi highlighted that the true aftermath of these incidents often extends far beyond the initial breach.
"Change recently reported that the protected health information of 100 million Americans was compromised during their ransomware attack," Mr. Riggi said.
He also pointed out the international nature of the threat, linking the attack to the Russian-based BlackCat ransomware group.
Beyond specific attacks like those on Change Healthcare, Mr. Riggi also expressed concern about a troubling trend: the rise of ransomware targeting critical supply chains, especially those related to blood and plasma.
He mentioned attacks on organizations like Octapharma, a Swiss-based blood plasma collection company, and Synnovis, a U.K.-based provider of blood pathology services.
"When I saw the attack on Synnovis, I was alarmed," Mr. Riggi said. "I was very concerned because it signaled a shift in Russian ransomware groups targeting life-critical supply chains. It’s a departure from their usual SOPs."
Looking ahead to 2025, Mr. Riggi emphasized the critical need for health systems to prepare for such disruptions.
"These ransomware groups have identified the wiring diagram for healthcare. They know where the weak points are," he said. "Hospitals must reevaluate their third-party risk management programs and identify strategic providers, ensuring that their operations won’t come to a halt if one of these providers is attacked."
Both Mr. Riggi and Mr. Gee stressed the importance of planning for "clinical continuity" in addition to traditional business continuity. While hospitals have made strides in preparing for IT system downtime, Mr. Riggi pointed out that many hospitals still lack adequate preparedness for extended disruptions.
"We need to understand how we will continue to deliver care without technology for 30 days or longer," he said. "The average recovery time for hospitals hit by ransomware is around 30 days, and some organizations have taken even longer."
Mr. Riggi further elaborated on the evolution of cybersecurity threats, noting the alarming rise in data theft attacks targeting healthcare data.
"The number of individuals impacted by data theft skyrocketed 500% from 2020 to 2022, with 44 million individuals affected in 2022," he said. "That figure jumped to 136 million in 2023, primarily due to the breach of the MOVEit software."
The breach of MOVEit, a secure file transfer system, gave Russian ransomware group Clop access to sensitive healthcare information.
In 2024, the trend continued with 156 million individuals’ healthcare records compromised, largely due to the Change Healthcare attack. Mr. Riggi highlighted the growing sophistication of cybercriminals and their ability to carry out attacks at scale.
"This year, with Change Healthcare, we surpassed last year’s record, and it’s only going to accelerate,” he said.
An emerging threat on the horizon is the increasing use of artificial intelligence by cybercriminals. Both Mr. Riggi and Mr. Gee have noted the potential for AI to be weaponized for more efficient and targeted cyberattacks.
"The democratization of ransomware through ‘ransomware as a service’ is one way these criminal groups are growing in sophistication," Mr. Riggi said. "AI will likely be leveraged by these groups to make their attacks more precise, and we need to prepare for that."
As hospitals and health systems look ahead to 2025, Mr. Riggi and Mr. Gee are urging the industry to take proactive steps to mitigate risk. This includes the implementation of cybersecurity frameworks such as the Healthcare Cybersecurity Performance Goals, which Mr. Riggi believes could become mandatory in 2025.
These frameworks, alongside improved third-party risk management and contingency planning, will be essential to defending against the growing tide of cyber threats.
"Hospitals are hearing the message and taking action," Mr. Riggi said. "They are aggressively reviewing their downtime procedures and working to shore up gaps. But we have to brace for impact because these attacks are coming, and we must be prepared to deliver care, even when technology is unavailable."
{Categories} _Category: Implications{/Categories}
{URL}https://www.beckershospitalreview.com/cybersecurity/brace-for-impact-how-healthcare-leaders-can-prepare-for-2025s-cyber-threats.html{/URL}
{Author}unknown{/Author}
{Image}https://www.beckershospitalreview.com/templates/beckers/assets/images/bhr-new-logo.png{/Image}
{Keywords}Cybersecurity{/Keywords}
{Source}Implications{/Source}
{Thumb}{/Thumb}