Cybersecurity Will Evolve in 2025

TOPICS:

Posted By: Industry Expert December 15, 2024

By David Finn, Cybersecurity expert and Recovering HC CIO
LinkedIn: David (Samuel) Finn

Cybersecurity in healthcare will evolve significantly over the next few years to become more effective and more integrated into the business operations. That is prediction number 1:

  1. Security will no longer be the sole domain of Security and IT – – it will be wherever and whenever business decisions are made in healthcare. We have finally realized that “computers and systems and networks” are your operations in healthcare. You do not have operations if the ” technology lights aren’t on”. All the rest of my predictions flow from that realization (in no particular order).
  2. Proactive Risk Assessments: Regularly conducting comprehensive risk assessments to find vulnerabilities and potential threats. This helps in understanding the unique risks within each healthcare ecosystem and tailoring cybersecurity measures accordingly. This will be done with a deeper and broader understanding of the organization’s actual risks – – not just the IT risks.
  3. Enhanced Data Protection: With the increasing amount of sensitive patient data being collected and shared, healthcare organizations will need to implement stronger encryption methods and more robust access controls to protect this information from unauthorized access and breaches.
  4. AI and Machine Learning: The use of artificial intelligence (AI) and machine learning (ML) will become more prevalent in detecting and responding to cyber threats. These technologies can analyze vast amounts of data to find patterns and anomalies that may indicate a security breach. Conversely, AI and ML will be used by more of the bad guys against you. The use of AI and ML in clinical settings will introduce risks (some unthought of) to the patient and the patient’s data requiring an original approach to due diligence and system testing of these tools.
  5. Zero Trust Architecture: Adopting a zero-trust security model, where every access request is verified and nothing is trusted by default, will become more common. This approach ensures that even if a threat actor gains access to the network, they are limited in what they can do.
  6. Interoperability and Standardization: As healthcare systems become more interconnected, there will be a greater need for standardized protocols and interoperability to ensure seamless and secure data exchange between different systems and organizations. While “standards” and “regulations” have a certain “unpleasantness” right now – – they are essential to providing digital health, it is the only way information can be shared in meaningful ways. It is technical standards that allowed us to get to this point, not the time to jettison them.
  7. Regulatory Compliance: Healthcare organizations will need to stay updated with evolving regulations and compliance requirements to ensure they meet the necessary cybersecurity standards. This starts with Cybersecurity Performance Goals (CPGs) – – just like clinicians have clinical practice guidelines (CPGs). Do not think of them as regulation/laws, think of them as best practice if that helps you. This includes adhering to frameworks like the CMMC (Cybersecurity Maturity Model Certification for government work) and other industry-specific guidelines.
  8. Incident Response and Recovery: If we learned only one thing from 2024 it was that developing robust incident response and recovery plans are essential. Having IRR plans that are not regularly practiced and updated is the same as not having the plan to start with. Organizations will need to be prepared to quickly detect, respond to, and recover from cyber incidents to minimize the impact on patient care and operations.
  9. Collaboration and Information Sharing: Sharing threat intelligence and collaborating with other organizations in the healthcare sector will become more important. By working together, healthcare providers can better predict and mitigate cyber threats. I am talking Health-ISAC here and the Health Sector Coordinating Council. Cyber security is a sector issue (for each sector), believing you can protect yourself without the help, guidance and support of others in the sector is beyond naive – – it is just stupid.

Finally, I would be remiss if I did not mention the elephant in the sector: Third Party Risk Management (TPRM). From Change Healthcare to CrowdStrike and Windows. I’ve listed below the new focus we’ll see in 2025 and beyond around TPRM.

  1. Increased Focus on Third-Party Risk Management (TPRM): Healthcare organizations will place greater emphasis on managing risks associated with third-party vendors, such as business associates, medical device providers, and supply chain vendors. This involves scrutinizing and continuously checking the security practices of these third parties (and there are a lot in healthcare).
  2. Enhanced Due Diligence: Before engaging with third-party vendors, healthcare organizations will conduct more thorough due diligence to assess the vendor’s cybersecurity posture. This includes reviewing their security policies, incident response plans, and compliance with relevant standards.
  3. Robust Contracts and SLAs: Contracts with third-party vendors will be updated to include stringent security requirements and service level agreements (SLAs) that mandate compliance with cybersecurity standards. This ensures that vendors are held accountable for supporting high-security standards.
  4. Cyber Insurance: Many healthcare organizations will now require third-party vendors to have cyber insurance to cover potential losses from cyber incidents (for whatever that is worth. The thought is that it will add an extra layer of financial protection in case of a breach. Not sure I’d count on that.