Brad LaPorte , 2025-04-15 13:05:00
Cyberattacks targeting the healthcare industry are happening more frequently, and they’re becoming more sophisticated and damaging. There are many reasons for this, of course. But leading the pack are attacker (and attack) sophistication and the arrival of AI. There are also reasons that are unique to the healthcare sector, including the increasing use of telemedicine, continued remote or hybrid work environments, and the growing use of connected medical devices, including ECG monitors, MRI, and Automated Dispensing Systems.
There is no arguing the transformative impact that new healthcare technologies and services have on patient care. Unfortunately, these innovations have also expanded the attack surface for cybercriminals and, in doing so, exposed critical vulnerabilities in healthcare infrastructure and the systems facilities rely on.
The Department of Health and Human Services’ Office for Civil Rights reports that there were 677 major health data breaches in 2024, which impacted more than 182 million people. While the total number of breaches indeed decreased in 2024, the volume of compromised records climbed to 276 million. That is more than double the number from 2023, and it includes what to date is the largest healthcare data breach on record — the ransomware attack on Change Healthcare that affected 190 million individuals.
The overall risk is driven by healthcare organizations that, in many cases, continue to rely on reactive, outdated security practices that cannot keep up with ever-evolving threat actors. It’s clear that a new approach to healthcare security is needed, one in which the emphasis shifts to proactive prevention, not response. The latter is a losing diagnosis.
New threats demand a new mind set
While threats to healthcare come in many varieties, ransomware continues to reign, as was demonstrated by the Change Healthcare breach. Another recent example is the Ascension Healthcare breach, which was attributed to the Black Basta ransomware group. The attack successfully crippled systems at more than 140 hospitals, ultimately delaying surgeries and disrupting emergency services.
One of the industry’s biggest Achilles’ heels is outdated technology. Many healthcare organizations still rely on legacy operating systems, which continue to use unsupported versions of Windows to run critical applications and medical devices. Since these systems are no longer supported, they cannot be easily patched or updated, something that attackers have taken notice of and are pouncing on the opportunity to exploit these vulnerabilities, often undetected.
Another risk is the multitude of devices that connect to a facility’s network. These devices are transforming patient care. However, they also introduce new vulnerabilities. In 2024, Censys Research uncovered more than 5,100 publicly exposed medical imaging servers, which put the sensitive data they contain at serious risk.
The good news
Threats can be prevented if healthcare organizations are willing to shift focus from reactive security approaches to preventative measures. Much like preventative care in medicine (where doctors can detect potential illnesses and diseases in their early stages), healthcare facilities can improve their security posture through preemptive strategy and preventative measures.
Preventative or proactive cybersecurity identifies and eliminates vulnerabilities before they’re exploited. Strengthening endpoint protection (which includes workstations, laptops, and connected medical devices) should be a top priority. All endpoints must be secured with technology capable of detecting ransomware and blocking fileless malware — two of the current and highly damaging attack techniques.
Next, consider modern memory protection technologies, which can prevent attacks from executing in the first place. This includes stopping zero-day exploits and Advanced Persistent Threats (APTs) attacks before they can inflict damage. With the right endpoint solutions, healthcare organizations can stop these attacks before damage is done or before sensitive patient files are compromised. And it can do so while integrating with the organization’s legacy systems.
Now, let’s shift to securing connected devices, especially any that are running outdated software. One option is to segment networks, which can help contain potential breaches. Memory-level runtime protection can help to keep devices safe even when patches aren’t available. When it comes to onboarding new devices to your network, look for manufacturers that offer timely firmware updates, use virtual patching, and implement hardening measures. These are critical to helping close any gaps that attacks may expose.
Lastly, legacy systems continue to present a risk, and for most, replacement of these systems is simply not an option. In these instances, organizations can isolate these systems from critical infrastructure and then put in place defenses that can protect them against unpatched exploits.
The zero-trust motto “Never Trust, Always Verify” is particularly relevant in healthcare environments where continuous user, device, and connection verification is critically important. Organizations can start by enforcing strict access controls and multi-factor authentication. Next, implement continuous behavior monitoring and the principle of least privilege, where individuals are only granted access to the data and systems they absolutely need and nothing more.
At this point, it’s important to point out that even by taking some of the steps shared throughout this article, you will never be completely safe without addressing the elephant in every room — human error.
According to the Verizon 2024 Data Breach Investigations Report (DBIR), non-malicious human error accounted for 68% of healthcare data breaches. To mitigate risk, consider conducting regular simulations and workshops, which teach staff how to recognize phishing, resist social engineering, and respond appropriately to emerging threats. Training must be ongoing, customized specifically for your organization’s environment, and focused on real-world scenarios. Some examples include fake tech support calls or AI-generated emails that purport to be part of an organization’s internal communications.
Unfortunately, even with the best technologies and a team that is fully trained on the latest threats, incidents are inevitable. When they do occur, a comprehensive disaster recovery plan is essential to help bounce back quickly. That includes immutable backups that ransomware can’t tamper with, regular testing of recovery processes, and a focus on the best ways they can restore operations swiftly while minimizing the impact on their patients.
Finally, dedicated anti-ransomware protection offers a critical last line of defense. These tools address every stage of an attack — this includes proactively identifying vulnerabilities and stopping attacks from exploiting them as well as getting operations back online and post-incident recovery. Teams can also launch forensic investigations into what happened, why it happened, and how it can be prevented in the future. When layered with other strategies, they create a security posture capable of withstanding the complex threats facing healthcare today.
Organizations must be prepared to combat increasingly sophisticated cyberattacks. Adopting adaptive, preventative, and preventative strategies can help your organization protect patient data, keep your systems online, and ultimately allow your staff to focus on what they do best: take care of patients.
Photo: traffic_analyzer, Getty Images
Brad LaPorte, Chief Marketing Officer at Morphisec, is a seasoned cybersecurity expert and former military officer specializing in cybersecurity and military intelligence for the United States military and allied forces. With a distinguished career at Gartner as a top-rated research analyst, Brad was instrumental in establishing key industry categories such as Attack Surface Management (ASM), Extended Detection & Response (XDR), Digital Risk Protection (DRP), and the foundational elements of Continuous Threat Exposure Management (CTEM). His forward-thinking approach led to the inception of Secureworks’ MDR service and the EDR product Red Cloak—industry firsts. At IBM, he spearheaded the creation of the Endpoint Security Portfolio, as well as MDR, Vulnerability Management, Threat Intelligence, and Managed SIEM offerings, further solidifying his reputation as a visionary in cybersecurity solutions years ahead of its time.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.