In 2024, it’s estimated that the two largest healthcare cyber incidents impacted over 100 million people, including patients and vendors across an interconnected digital landscape of insurers and healthcare providers. By October of 2024, 386 cybersecurity attacks had been reported in the U.S. against healthcare and 3rd-party providers, with Change Healthcare and Kaiser Permanente being among the most significant breaches. It has been, objectively, the worst year ever for security breaches in healthcare.
Because a ransomware attack can hold systems and connected devices hostage until a ransom is paid, bad actors know that healthcare is a prime target; they’re banking on the desire to reduce disruptions in critical patient as a strong motivation for payment. The threat to healthcare systems worldwide is so severe that the United Nations has called it a “global threat that can’t be ignored”, with the Director-General of the UN noting, “Ransomware and other cyberattacks on hospitals and other health facilities are not just issues of security and confidentiality, they can be issues of life and death. At best, these attacks cause disruption and financial loss. At worst, they undermine trust in the health systems on which people depend, and even cause patient harm and death.”
Cybersecurity Director of McLaren Health, Doug Vondera, recently joined the Censys Director of Strategic Alliances, Celestine Jahren, for a discussion about what’s happening in healthcare cybersecurity, with a focus on the challenges – and opportunities – faced by security leaders. Here are some of the top takeaways from their conversation.
Healthcare security challenges
As cybersecurity tools have advanced, so have the methods used by bad actors. Their tactics are evolving as quickly as the security tools that are being developed to stop them. As Vondera and Jahren discussed, there are some key ways that the healthcare industry is particularly vulnerable to threats.
Healthcare has significant tech debt issues
Mergers and acquisition are the nature of modern healthcare networks. Bringing several organizations together, each with their own technology stack, can lead to significant tech debt and security gaps. This makes it easier for bad actors to exploit vulnerabilities through phishing, unpatched software, and even living off the land techniques.
Healthcare workers are not security professionals
Hospital staff, clinic workers, researchers, and anyone else who makes up the front lines of healthcare, all log in, swipe, badge, and otherwise connect to healthcare portals thousands of times a day. They’re a crucial link in the security chain – but none of those people chose to be in IT, Vondera reminds us. Security leaders have the responsibility to convey security needs and risks succinctly, make it meaningful, and take the onus off of the end user, because their job is to take care of patients.
Connected devices are essential, and also highly vulnerable
An ongoing concern for healthcare security teams is how to secure the thousands of connected devices that are critical to patient care while also keeping them operational. The sheer number of devices and the need for constant connectivity makes them hard to patch, maintain, and even inventory, but each connected device can serve as an access point that, if breached, could lead to lateral movement across the network and significant data exposure.
Healthcare is constrained by financial resources
By and large, healthcare organizations don’t have the same investment priorities as other businesses. Their security budgets are much smaller than other industries, with just 4-7% of a health system’s IT budget allocated to cybersecurity, compared to about 15% for other sectors. Healthcare organizations have to be strategic with security investments, since more tools equals more cost. Bad actors know this, and consistently aim for areas with less visibility and protection – areas that would usually be made more secure by higher cost tools.
The opportunities for healthcare security leaders
Vondera has managed security and IT operations teams for almost two decades, and has deep expertise in helping security teams make a difference with the resources they already have. In his conversation with us, he shared recommendations that he believes can help support a holistic approach of layering security throughout healthcare environments.
Explore the role of automation
Setting up automation is one of the most immediate ways to get more done with small, underresourced teams. It’s almost impossible to track and manage an attack surface manually, and fully exploring the automation capabilities of the tools you are already using can help reduce risk while also freeing up valuable resources in your team. This includes understanding the role of AI across your security tech; knowing how to properly interact with generative AI tools can enable significant automation gains.
Consider the end user
User experience matters, and giving users a say in what tools they use drives adoption. Vondera recommends working alongside healthcare providers and asking doctors for their input on UX to help both acknowledge and remove friction.
Use a framework
“If you don’t know what you have, you don’t know how to protect it,” Vondera reminds teams. The Center for Internet Security Critical Security Controls helps align security teams with evolving industry standards and frameworks with a step by step roadmap to strengthen your cyber defenses – and it starts with inventorying your assets so you have a clear picture of your attack surface. Security practitioners who deprioritize the basics tend to struggle, but working with a highly structured approach like CIS helps organizations mature their security programs faster. For healthcare organizations, maturity could look like starting with asset macrosegmentation, building a microsegmentation strategy, and then rolling out a dynamic microsegmentation policy that can automatically drop devices during a cyber incident.
Prioritize the right kind of education
Cybersecurity training encompasses user education and coaching for end users, but focusing on specialized education opportunities for your IT staff can help strengthen your security results. Investing in certifications like Systems Security Certified Practitioner and Certified Information Systems Security Professional can help make an outsized impact by enabling smaller teams with fewer resources a deeper, more advanced skillset.
Know what makes a strong team
Vondera’s top hiring priority is focusing on organizational fit, with a special emphasis on “finding people who understand the commitment.” This means being open to bringing in developers, architects, and other technical titles from different backgrounds to provide a well-rounded set of skills. Team leaders should also take time to understand the burnout that’s associated with cybersecurity, because it can have a considerable impact on security outcomes.
If you don’t know what you have, you don’t know how to protect it – Doug Vondera, McLaren Health Care
The state of security in healthcare is only going to become more urgent. Healthcare hacks are a growing concern for US lawmakers, with teams of healthcare executives, lawyers, and congresspeople working to legislate security changes for the healthcare industry and get funding to help support infrastructure advancements and other necessary improvements.
Censys allows healthcare organizations to be proactive about these risks; our complete visibility into vulnerable devices, third-party risks, and evolving infrastructure helps to protect patient data and critical systems from cyberattacks. Our intelligence helps security teams uncover risk and safeguard assets to reduce patient medical record exposure, support compliance, and monitor and secure telehealth visits.
For deeper insight into the risks and recommendations across healthcare cybersecurity, check out the full webinar with Vondera, available on-demand here.
