October is Cybersecurity Awareness Month
Throughout the month we will take on cybersecurity subjects that continue to be challenging in healthcare today and ask our experts to weigh in.
Topic 3: Ransomware Attacks
2023 until now has seen record highs for ransomware attacks, ransom payments and data breaches in the healthcare industry. As attacks evolve, many hospitals are beginning to recognize that their aging infrastructure and IT systems are not sufficient protections for the well-being of their patients, facilities and finances.
We asked what recommendations would they give to IT teams on defending their healthcare ecosystems?
David Finn, Executive Vice President, Governance, Risk, Compliance, First Health Advisory
LinkedIn: David (Samuel) Finn
This is a very good question with no good answer. First, every organization must figure out what their risks are and which ones they will invest in to reduce the risk, the risks they’re willing to live with, and the ones that can be mitigated to an acceptable level of risk. Some risk may be transferred, which is not an easy job, and it cannot be left to IT or Security. Those functions can help management understand the technical and security risks, but only the clinicians, patients, the finance people, HR, and operations can explain what the risks are to patient care, to financial processes, to staffing, and the ongoing business.
This is not just about security anymore: it’s about cyber resilient digital health. And just as digital health takes all the stakeholders, so will making the enterprise cyber resilient.
There are two areas that every organization regardless of size or funding need to address, given what we’ve seen so far in 2024. The first area is a comprehensive incident response plan, from the enterprise level down to each department. It must include regular drills and updates to those plans based on the drills, as well as emerging threats. The second area, which is tragically overlooked, is regular security awareness training: Everyone, from the board down to groundkeepers, must be educated on an ongoing, regular basis about current phishing tactics, social engineering, other attack vectors, and the privacy and security rules specific to the organization.
Basic cyber hygiene must also be considered, which is frankly no different than washing hands and using hand sanitizer or wearing masks and gowns in patient care, as appropriate. That means: updating and patching your systems; enhancing network and endpoint security; implementing governance for data, IT, security, and third-party risk, then managing those areas; and leveraging public-private partnerships and Information Sharing and Analysis Centers, including government agencies like the FBI, CISA and HHS to leverage threat intelligence and share best practices.
Simply working collectively with others can enhance your overall security posture. We all must focus on cyber resilience. There’s no such thing as risk-free, so focus on building systems, including people, processes, and technology that can adapt to change and function during and after an attack to ensure that critical services remain operational. Your business is not IT: It’s patient care and that’s the prize we should keep in focus.
Amy Goad, Managing Director, Consulting, Sendero
LinkedIn: Amy Goad
As we navigate through an era of increased attacks on healthcare systems’ IT infrastructures, it is more important than ever for IT teams to adopt a comprehensive and advanced strategy to protect patient information and keep their systems online and running. This kind of strategy should include multiple layers of cybersecurity software, network segmentation, frequent updates to systems to avoid outdated technology, and an immediate action plan to deploy if a breach does occur. As the use of technology increases across healthcare, it is paramount that leaders and IT teams work together to identify areas of increased risk for breaches. These new technologies may not be compatible with outdated security systems, placing further emphasis on the need for a comprehensive strategy.
Furthermore, most cyberattacks can be traced back to human error, meaning that education and training for all team members is key to protecting the health system from IT security attacks. By conducting comprehensive and frequent staff training on both the risks of an attack and the strategies to prevent them, IT teams can better protect patient and facility data.
Chad Holmes, Security Evangelist, Cynerio
LinkedIn: Chad Holmes
To understand why these attacks happen, we must better understand the motives and mechanics behind them. Luckily these are easy to understand. The motives are financial and the mechanics are focused on healthcare environments because twenty years of lagging cybersecurity investment have made us the easiest industry to attack.
That bad news also reveals a bit of good news. In the last twenty years many other industries have adopted and evolved their protections, meaning healthcare environments can focus more on adoption rather than innovation. Moreso, global guidance including that from NIS2 (EU), CAF (UK) and HPH CPGs (US) are providing greatly improved guidance on the specific practices healthcare organizations should be adopting. The CPGs for example, provide a set of Essential Goals (MFA, vulnerability mitigation, improved credential management) and Enhanced Goals (asset inventory, network segmentation, detection and response technologies) which identify highly valuable protections which are often underutilized in healthcare environments.
Unfortunately there is no magic bullet to securing environments against ransomware, but over the long run, taking a methodical, well-informed approach will result in the best protections long term.
Neil Jones, CISSP©- Director of Cybersecurity Evangelism, Egnyte
LinkedIn: Neil K. Jones
My recommendations to IT teams that defend our healthcare ecosystem include the following:
- If you only have staffing or budgetary approval to tackle a single issue, you should focus on ransomware detection and recovery. Ransomware payments surpassed $1 billion in 2023, and those are only the payments we know about. For that reason, even Anne Neuberger, US Deputy National Security Advisor for Cyber and Emerging Technology. stated in 2021 that, ‘All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location.’ Ransomware attacks have only gotten worse since then, so it’s imperative that you have a snapshot recovery solution in place to recover from successful attacks quickly, to prevent potential impact on your patients’ well-being.
- Routinely brief your executive team on the importance of cybersecurity protection. Importantly, you should communicate with executives in plain English, using straightforward examples that are understood by all stakeholders. Frame the discussion from the financial and/or reputational risk perspectives, which will enable broad understanding. Utilizing a risk-based approach is likely to be more successful than framing the discussion solely from a technical perspective.
- Regularly train your users about the importance of cybersecurity, particularly the danger of phishing attacks. Phishing continues to be prevalent, and it’s closely aligned with ransomware attacks. You can read more about phishing prevention in our October 7th commentary.
- Implement an Incident Response (IR) program, which includes a detailed (and updated) IR plan. Realistically, we no longer live in a world in which every cybersecurity threat can be prevented; rather, we need to accept that cyberattacks will happen. You can learn more about the importance of Incident Response here.
- Finally, work with an experienced technological partner, to address areas where your organization has skill-set gaps, so that IT Security projects can go live more rapidly.
Nick Kathmann, CISO, LogicGate
LinkedIn:Â Nicholas Kathmann
The most effective way to stop cyberattacks is to shoot for the wallet. Suppose healthcare organizations stop paying ransoms and effectively quash the profitability of attacks against them; attackers will eventually stop investing their resources toward hacking those organizations from the lack of ROI. Of course, that’s unattainable as many healthcare organizations don’t have the funds to invest in robust security and disaster recovery/resilience programs, leaving them with no option but to pay ransoms to restore operations as quickly as possible. Unlike other industries, where the loss of information is the primary result of a data breach, a healthcare organization losing access to critical data or services can result in injury or even loss of life.
Different organizations have different risk appetites, and rural healthcare systems often have both smaller security budgets and fewer experienced IT professionals on staff. In addition, human error presents constant risk, while cybersecurity training resources are often limited and/or extremely basic in nature. So, if unable to refuse ransom payments altogether, nipping ransomware threats in the bud ultimately comes down to approaching the problem holistically, leveraging specific threat scenarios to decide how your organization can best evaluate and treat vulnerabilities with the least amount of disruption possible. Tactically, this includes vulnerability scanning and governance, comprehensive asset awareness, ongoing testing/assessments, risk management, and change management. But perhaps the most important tool is effective cybersecurity training to mitigate the ever-present human threat. Utilizing these exercises enables healthcare leaders to develop effective and economical ransomware plans based on the unique needs of the organization, keeping systems and data safe and secure from would-be attackers.
Thankfully, today’s healthcare organizations have more security expertise and technology on their side than ever to combat ransomware – the key is leveraging what you have available to you in the smartest ways possible to create a holistic, overarching cybersecurity strategy designed to mitigate vulnerabilities whenever and wherever they’re identified.
David Kellerman, Field CTO, Cymulate
LinkedIn: David Kellerman
Organizations in the healthcare industry are at a higher risk for attacks. This is because their operations often run legacy systems with outdated technologies that are inconvenient and difficult for security teams to update. Combined with high volume transactions and data exchanges as patient health information is constantly updated, there are easy opportunities for threat actors to take advantage of aging infrastructure and IT systems.
In updating their infrastructure and regaining confidence in security controls, security teams must think like an attacker and focus on what is exploitable in their environments. To do so, healthcare organizations should implement five key strategies to ensure their systems remain secure, starting with the implementation of regular security audits and assessments through internal reviews and third-party evaluations. These audits will provide an unbiased perspective on the effectiveness of legacy systems and security controls for what should be addressed first.
From there, I recommend creating a process for security control validation by implementing penetration testing and continuous monitoring so healthcare organizations can see how their defenses hold up against real-world threats. This also enables them to uncover vulnerabilities in real time that might typically fly under the radar. These layers of defense will allow security teams to identify and address potential vulnerabilities open to threat actors quickly.
Once identified, organizations should have processes in place to patch vulnerabilities and close security gaps, along with regular software updates, prioritizing aging systems running on often outdated technology.
Implementing these steps will be crucial in ensuring compliance with HIPAA, FDA and other regulations while improving overall security posture for continuous improvement.
Mike Kiser, Director of Strategy & Standards, SailPoint
LinkedIn:Â Mike Kiser
Patients are at the core of healthcare and how organizations manage their data is essential for delivering quality service. Technology can play a crucial role, from scheduling and providing consistent care to offering a comprehensive view of a patient’s health journey. However, when technology fails, these advantages and the processes built around them come into question.
Being unprepared for technological disruptions can significantly harm the patient’s experience—leading to missed appointments, loss of historical data, and compromised patient outcomes. The challenge is particularly acute for younger generations, who are more dependent on technology, increasing risks for both the healthcare industry and the patients they serve. To address this issue proactively, IT teams must implement a unified identity security approach that actively monitors and flags issues before a problem arises, utilizing a multi-layered security protocol to get ahead of attacks.
Kevin Landt, VP of Product, Cybersecurity, Thrive
LinkedIn: Kevin Landt
Cybercriminal tactics continue to become more sophisticated, so it is also vital for healthcare organizations to prioritize continual improvement of cybersecurity measures to stay ahead of potential threats. However, IT teams also need to work with colleagues in other departments to develop business continuity plans that ensure the organization can continue to deliver care and support critical business functions in the event of a cyberattack.
To better defend against rising cybersecurity threats, IT teams should establish and maintain a formal security program for their healthcare organization – this includes implementing robust cybersecurity measures, conducting regular risk assessments, and ensuring physicians, nurses, and other staff are regularly trained on cybersecurity best practices.
A few tangible steps organizations can take to improve their cyber security posture include:
- Real Endpoint Protection: Any device that has an organization’s data flowing through it is considered an endpoint that needs to be secured. It is important to utilize next generation endpoint security technology that can detect and contain modern threats.
- DNS and Email Filtering: DNS filtering blocks web access to any suspicious or dangerous online domains, while email filtering prevents malicious content from reaching users’ inboxes. These solutions help prevent bad actors from launching phishing or malware attacks.
- Incident Response Planning: It is critical to not only work to prevent attacks but also to prepare to respond when attacks occur. This includes validating and updating those plans on a continual basis once they are established.
If updating systems is overwhelming for organizations and they do not have the resources to manage complex IT systems internally, looking to outsource IT services is a valuable solution to optimize operations and enhance an organization’s cybersecurity posture. By outsourcing IT services, healthcare organizations can leverage advanced technologies and tailored expertise to ensure their finances, facilities, and most importantly, their patients are better protected.
John Layne, Director of IT, HSBlox
LinkedIn: John Layne
Ransomware attacks are a serious concern for the healthcare industry not only because they potentially expose patient data but also because they can disrupt healthcare services and delay critical care for those who depend on it. While it may be difficult to thwart a complex and targeted attack, several steps can be taken to limit risk of both data and service availability. Many ransomware attacks include a data exfiltration component, so it is important to have both adequate network segmentation as well as data encryption. If data is shared with third party partners and vendors, it is imperative to conduct extensive and ongoing risk management reviews to ensure both data security and business continuity in the event of a ransomware attack. Additionally, a well-documented recovery process needs to be established, and regular tabletop exercises performed to ensure readiness to respond to a worst-case scenario as efficiently and reliably as possible. As part of recovery preparedness, continuous backups of critical data should be established to offsite and/or immutable storage to ensure reliable data recovery.
Luigi Leblanc, MPH, CPHIT, Vice President, Technology, Zane Networks
LinkedIn: Luigi Leblanc
As ransomware attacks surge, the question is no longer if but when. Resource-constrained regions—rural areas, underserved urban communities, and territories—are particularly vulnerable due to underfunded, outdated IT infrastructure. This creates significant inequities, as these regions often lack the resources to recover swiftly from breaches, leading to disruptions in care delivery, reduced service availability, and potentially significant revenue loss.
Zane Networks advises prioritizing investment in these areas, offering technical assistance, and training to build resilience. Transitioning from on-premises systems to more secure cloud-based solutions is essential, along with fostering a culture of cybersecurity awareness among staff. By doing so, healthcare organizations can better safeguard their systems, protect patient data, and ensure continuity of care even in challenging environments.
Eric Ledyard, VP of Enterprise Architecture, Coder
LinkedIn: Eric Ledyard
Resilience against cyberattacks in healthcare starts with the basics – identifying and addressing vulnerabilities at the foundation. Hospitals should implement key best practices like storing code and IP in secured environments rather than local drives and limiting software installations to trusted sources. These steps reduce the risk of data exfiltration and breaches.
However, cybersecurity is never static. It’s a continuous process that must evolve as new threats and technologies emerge. Healthcare facilities manage a wide range of sensitive data, and cybercriminals are increasingly using AI and powerful distributed systems to enhance their attacks. To stay ahead, healthcare organizations must strengthen traditional security measures with AI-driven detection, behavioral analytics, advanced end-to-end encryption, and automated, continual compliance monitoring. Some attacks target the actual software development lifecycle and inject malicious code into a companies source code repository – effectively having developers push that bad code into production.
Cloud Development Environments (CDEs) also play a vital role in enhancing security for healthcare IT systems. By centralizing development in a secure, controlled environment, CDEs reduce the risks associated with local vulnerabilities. They ensure that only trusted tools and configurations are used, helping to prevent supply chain attacks and unauthorized changes. CDEs also provide better visibility and control over the development process, making it easier to audit activities and strengthen overall security.
As cyberattacks grow more sophisticated, healthcare organizations must adopt these advanced techniques to safeguard not only their data but also their patients and facilities.
Rob T. Lee, Chief of Research and Head of Faculty, SANS Institute
LinkedIn:Â Rob T. Lee
Threat actors view hospitals and healthcare providers as easy targets due to their harder-to-update IT infrastructure, which is tied to crucial systems, prescriptions, key diagnoses, and treatments. Often if a single capability is taken offline, it could cause severe complications with their patients. fragmented networks, and an overall lack of investment in cybersecurity. This is problematic for a critical industry like healthcare, where the stakes are incredibly high – not only for patient safety but for the operational and financial well-being of the facilities.
It seems obvious, but regularly patch and update your systems! If you can’t migrate your legacy systems to more secure platforms, isolate them within the network! Create a roadmap to help you modernize as swiftly as possible, and in the meantime, implement a robust patch management protocol. In addition, walk through scenarios if their network is ransomed or taken offline through a cyber-attack. Also, with as complex and interconnected as healthcare networks tend to be, organizations should also make the jump to adopting zero trust architecture as soon as possible.
Jon Moore, SVP, Consulting Services & Customer Success & Chief Risk Officer, Clearwater
LinkedIn:Â Jon Moore, MS, JD, HCISPP
Given limited IT and cybersecurity budgets, hospitals need to strategically invest to effectively manage their most significant cyber risks. Conducting a risk analysis at the system and component level helps pinpoint critical risks and direct resources efficiently. Prioritizing infrastructure, patient care systems, and network security is essential. Cost-effective measures such as network segmentation, multi-factor authentication, and patch management can effectively address common threats.
For small and medium hospitals in particular, managed security services offer protection at a fraction of the cost of building and operating an in-house program, offering immediate impact. Additionally, training staff in cybersecurity best practices, such as phishing recognition, can bolster defenses with minimal expense. Hospitals should also develop a robust incident response plan to ensure swift response and recovery from breaches, minimizing operational disruption. Taking these actions now will improve patient safety and protect financial health, ensuring the organization can continue providing essential care.
Ron Moser, CISSP, CISA, CRISC, CCSFP, CHQP, Technical Product Director and Senior Assessor, DirectTrust
LinkedIn: Ronald S. Moser
Both prevention and recovery are crucial in defending against ransomware. While investing in strong defenses is vital, it’s equally important to prepare for the possibility of an attack succeeding. In healthcare, where outdated IT systems and limited budgets are common, a balanced strategy is essential. Prevention begins with proven strategies like zero-trust architecture, multi-factor authentication, and maintaining multiple disconnected backups. Regular cybersecurity training for staff also reduces the likelihood of an attack. However, swift recovery is just as critical. Having a response plan in place while maintaining a reliable, tested recovery solution ensures operations can be restored quickly after an incident.
Collaboration, like DirectTrust’s Cybersecurity Workgroup, enhances both prevention and recovery efforts by fostering cross-industry dialogue and establishing standards. By learning from real-world ransomware incidents and conducting regular mock scenarios, healthcare IT teams can learn how to better navigate the complexities of recovery. Ultimately, it’s not just about preventing an attack but being ready to recover swiftly. Prepare your defenses, but assume an attack might succeed, and have a robust plan in place.
Bridget O’Connor, COO, Fortalice Solutions
LinkedIn: Bridget S.
Ransomware attacks on the healthcare sector have steadily risen since 2023. According to the US Department of Health and Human Services (HHS), in 2023, there were a total of 630 ransomware attacks on healthcare worldwide. Four hundred sixty of those attacks were on US healthcare providers. Given that many healthcare providers are dealing with cost-cutting, employee turnover, acquisitions, and mergers, many initiatives can compete for the same pot of money. One way to ensure that you are proactively hardening against potential threats is to ensure your annual cyber risk assessments are being ingested and reviewed by the correct teams who can assist with remediation promptly. Follow up on the remediations and test them to ensure they have been completed.
Additionally, ensuring that your third-party risk program is fully embedded with your vendor management office to provide the appropriate risk review of third-party vendors is indeed happening. Given the increase in third-party cyberattacks (i.e., Change Healthcare), proper due diligence and regular reviews of vendor security scorecards need to happen. A letter of attestation could be an option to encourage third-party vendors to take their cybersecurity seriously. Finally, educate, educate, educate. Your workforce is critical to your security defense as often your frontline staff are the ones targeted by bad actors. There is a lot of training related to security awareness available at little to no cost.
George Pappas, CEO, Intraprise Health
LinkedIn:Â George C. Pappas, CFCHE
IT teams across the industry are well aware of the aging state of their software and infrastructure. The escalating intensity and sophistication of cybersecurity threats have made it more urgent than ever to fortify these critical assets. My primary recommendation is to take a prioritized, progressive approach—add protections incrementally. Rome wasn’t built in a day! Start by addressing the most common types of intrusions, ensuring safeguards such as user identity and access management, basic network segmentation, implementing a SIEM (Security Information and Event Management) system, and conducting regular drills—such as incident response, phishing tests, and penetration testing. Staying current with patch updates and managing third-party risk are also essential.
Most of these steps can be implemented without the need for a significant overhaul of the existing application portfolio. Over time, organizations can explore more foundational changes, such as adjusting application deployment (on-premises vs. cloud), refining network architecture, and updating high-risk applications that are running on outdated systems. From there, strategic transitions to newer applications across the portfolio can be considered.
Cecil Pineda, Chief Information Security Officer and Senior Vice President, R1
LinkedIn: Cecil P.
One of the most effective strategies in strengthening defenses against evolving threats is network segmentation. By creating multiple segmented networks within your environment, IT teams can isolate critical systems, making it harder for attackers to navigate once they’ve infiltrated one part of the network. This approach not only helps limit the scope of an attack but also contains any potential damage. For example, systems that are difficult to protect or serve different functions can be segmented away from those that manage sensitive patient data, reducing the risk of widespread compromise.
Another important but challenging recommendation is ensuring regular software and device updates. Many healthcare devices run on operating systems with packages that frequently require updates, most of which are security related, and neglecting these updates leaves systems vulnerable. However, two issues often arise. First, medical device manufacturers may not release security updates unless forced by regulations or customer pressure. Second, applying updates to these devices is not as straightforward as updating consumer software. Medical devices require thorough testing both before and after updates to ensure they function properly. Although this makes updating more complicated, it’s essential to prioritize and schedule these updates to maintain security.
Rodman Ramezanian, Global Cloud Threat Lead, Skyhigh Security
LinkedIn:Â Rodman R.
Cyberattacks on healthcare systems surged in 2024, and so securing critical infrastructure has never been more urgent for IT teams. The rise of AI-powered threats – particularly with social engineering campaigns – heightens the stakes, especially for a life-or-death industry like healthcare.
IT teams must adopt a proactive, coordinated defense strategy that is centered on zero trust principles and safeguards data and applications at the edge while also ensuring full visibility into vulnerable systems. The healthcare sector cannot afford to be reactive, so staying one step ahead of threat actors is essential to protecting not just organizational data, but public health and safety.
Lance Reid, CEO, Telcion Communications Group
LinkedIn: Lance Reid
The surge in ransomware attacks in healthcare is a stark reminder that many organizations have aging infrastructure that simply can’t keep up with modern threats. Hospitals need to prioritize a comprehensive defense strategy with multiple layers of security in place. While protections like multi-factor authentication, DNS filtering, and advanced threat detection are key, the real challenge is being prepared to act quickly when an attack occurs. Ransomware can penetrate even well-protected networks, so organizations must have robust detection and response protocols in place to limit the damage and recover swiftly.
David Slazyk, Chief Information Officer, Nextech
LinkedIn:Â David Slazyk
The healthcare industry is highly regulated; however, some facilities are hyper-focused on compliance while security initiatives are deprioritized. Simply complying with industry standards, including HIPAA, does not ensure the security of patient data. While regulatory obligations are important to raise awareness and standards, health leaders must go further by implementing security frameworks, like Zero Trust, to give their organizations the right tools to protect against cyberattacks. Compliance does not equal security, so I recommend all healthcare organizations take security initiatives beyond simply checking the box. With all the technology available, executive decision-makers have no excuse for the lack of critical cybersecurity technology.
Vaibhav Srivastava, President of Healthcare, Insurance & Life Sciences, Innova Solutions
LinkedIn: Vaibhav Srivastava
Organizations seeking to strengthen their defenses against ongoing threats should first determine risk exposure by conducting vulnerability assessments across all applications, infrastructures, and mobile environments. Then, IT teams can create tailored roadmaps to address critical, high, medium, and low-risk areas, focusing on modernizing outdated legacy systems and implementing/enhancing security practices like MFA, DevSecOps, encryption, etc. It’s important to remember that cybersecurity is an ongoing effort that requires a proactive approach through continuous monitoring and by instilling a culture of security awareness throughout the organization. This will help ensure a comprehensive, resilient defense against cybersecurity challenges within the healthcare ecosystem.
David Weber, Privacy and Compliance Officer, Claim.MD
LinkedIn: David Weber
The threat of cyberattacks has evolved to a point where anything less than full compliance with regulations and industry standards is unacceptable. In today’s environment, cyberattacks are almost inevitable, even for those with robust security measures. Healthcare organizations that delay addressing vulnerabilities and implementing upgrades are essentially inviting attacks, and the costs of a breach far outweigh the investment in prevention.
The real question isn’t if action should be taken, but how quickly it can be implemented. The first step is engaging an independent audit firm to conduct industry-standard assessments, such as SOC, HITRUST, or ISO audits, tailored to the specific needs of the organization. A qualified audit firm can guide organizations in selecting the right security framework and conduct a readiness review to pinpoint areas needing improvement.