The Next Cyber Crisis Is Inevitable — and Healthcare Isn’t Ready

Summer is far from over, but already it has been a poor one in terms of healthcare cybersecurity. Last month alone, more than 7.6 million people had their personal data exposed due to healthcare data breaches.

Separately, just two weeks ago, Anne Arundel Dermatology disclosed that its recent cyberattack exposed nearly 2 million people’s data. Radiology Associates of Richmond also announced a massive cyberattack this month, one that impacted about 1.4 million individuals.

Healthcare’s feeble cybersecurity infrastructure was thrust into the spotlight about a year and a half ago when Change Healthcare’s systems were hacked. This incident — the most devastating healthcare cyberattack in history — exposed the data of over half of the U.S. population. Many leaders in the industry viewed this disaster as a wake up call urging them to get serious about their security posture — but the unrelenting pervasiveness of healthcare cyberattacks makes it clear that the sector’s defenses remain inadequate. The industry as a whole is still dangerously behind others like retail and banking. 

The experts interviewed for this article agree that the industry hasn’t made much progress on the cybersecurity front since the Change Healthcare attack. They warn that without urgent changes, the sector will continue to serve as low-hanging fruit for cybercriminals.

A critical inflection point

The healthcare sector is at a tipping point when it comes to cybersecurity, said Sıla Özeren, a security research engineer at Picus Security, a risk assessment software vendor.

This moment is pivotal not just because threats are increasing, but also because the stakes for providers’ responses have never been higher, she noted.

Özeren pointed out that ransomware groups are increasingly targeting hospitals to steal their data — as well as to disrupt care, knowing that the urgency of patient safety makes providers more likely to pay.

“At the same time, healthcare systems remain burdened by legacy tech, overworked IT teams and outdated practices. The sector holds some of the most sensitive data yet often relies on the weakest defenses,” she declared.

Simply put, the pace of threat evolution is moving a lot faster than the pace of healthcare’s cybersecurity modernization.

Özeren said that the industry needs a shift from passive, compliance-driven security to active, continuous validation of defenses.

“From static checklists to real-world proof. From reacting after damage is done to anticipating and mitigating risk before patient care is compromised,” she stated.

In her view, the healthcare industry’s cyberattack preparedness is inconsistent and reactive. Many organizations have adopted data security frameworks and developed incident response plans, but serious gaps persist, Özeren noted. Take patch management for example.

Patch management is the process of identifying security vulnerabilities or bugs within a business’ systems, and then installing software updates — called patches — to fix them.

Özeren explained that the healthcare industry is still a “soft target,” for cyber gangs because most providers still rely on legacy systems that can’t be easily patched without interfering with patient care. 

“At the same time, third-party vulnerabilities are increasingly exploited, with attackers often breaching a billing provider or IT vendor and moving laterally due to poor segmentation and oversight. This persistent technical deficit, underresourced security teams, and limited visibility leave healthcare especially exposed,” Özeren remarked.

Moving forward, organizations should invest in automated patching tools, as well as schedule downtime strategically in order to apply updates without interrupting patient care.

Özeren also highlighted network segmentation as an important strategy that organizations in other industries use to protect themselves from cyberattacks. This means dividing a network into smaller, isolated sections to limit the scope of potential attacks.

In healthcare, poor network segmentation can be disastrous. Once attackers breach one part of a system, like a medical device, they can easily gain access to sensitive data or disrupt clinical operations.

Many healthcare providers struggle with segmentation because of the complexity and interconnectedness of their systems, as well as their desire for real-time visibility across all their networks. But providers can improve this area by implementing strict access controls and regularly auditing network traffic to enforce boundaries between systems, Özeren noted.

The sector’s lack of cyber resilience is especially problematic given the ongoing prevalence of ransomware attacks and their increasing severity. In just the past six years, the average cost of ransomware attack has shot up by 574% — from $761,106 to $5.13 million.

In the future, Özeren said more providers need to routinely simulate and emulate cybercriminals’ latest behaviors and malware campaigns.

“By continuously testing their prevention and detection layers against real-world threats, they can expose critical blind spots before attackers do. This proactive, ongoing approach transforms threat intelligence into actionable readiness and helps ensure they don’t become the next victim,” she advised.

Threats everywhere you look

Ransomware gangs and other cybercriminals are becoming more sophisticated every day, especially when it comes to social engineering schemes — but their tactics are largely refined rather than new, according to Joey Johnson, chief information security officer of Premise Health, a direct healthcare company that works with employers, health plans and unions. For instance, threat actors have been able to make their deepfakes and phishing phone calls a lot more convincing over the past 18 months, he said.

Healthcare organizations’ increasing adoption of AI also creates additional risks, Johnson pointed out. 

AI tools often operate without full oversight or security controls — making them vulnerable to both external attacks and internal misuse, he noted. He also added that some AI tools, such as AI agents, can act autonomously and make decisions via APIs, which can result in the unintentional exposure of sensitive data. 

“And there’s emergent technologies that are trying to combat fire with fire and use AI to achieve better user awareness into technofarious activity, but it’s still a cat and mouse game, of course,” Johnson remarked.

Smaller healthcare entities — those Johnson calls “below the cyber poverty line” — tend to struggle most when trying to improve their preparedness.

“There’s free programs, there’s tech companies trying to do the right thing and help those who need it the most. The problem is that in those environments, the cyber awareness is very, very low compared to the level of the problem — and it seems like an insurmountable issue. They don’t have the talent in-house to even know how to begin addressing it,” he explained. 

Small or rural providers are typically overwhelmed by cybersecurity threats and forced to rely on IT generalists — but even if these types of providers had the means to invest in better cybersecurity staff, this talent is difficult to find and retain, Johsnon noted.

He also noted that known vulnerabilities still lead to many breaches across the healthcare sector. In fact, recent research shows that the same core techniques continue to dominate healthcare’s cyber threat landscape — mainly hiding malicious code inside legitimate messages and processes, disabling security software, abusing staff’s workflow tools and encrypting data to hold it for ransom.

Cybercriminals continue to successfully exploit these known vulnerabilities because there are still many healthcare providers neglecting basic cyber hygiene like multi-factor authentication and consistent network patching, Johnson said.

Good cyber hygiene becomes ever more difficult to maintain with each piece of new technology integrated into the organization, he noted.

Oftentimes, a business can be its own worst enemy when it comes to how fast it is taking on new technologies, Johnson pointed out. He said there is “almost never” a specific cybersecurity subject matter expert assigned to new tools when they are being onboarded at a healthcare organization.

“But the security team is still accountable for rapidly learning this new piece of technology, rapidly understanding what vulnerabilities can have, and then probably having to learn some kind of third party tool or capability to do enforcement and protection. That’s almost an impossible ask,” he stated.

Johnson thinks some providers’ rush to adopt AI without adequate security guardrails is creating a new class of cyber vulnerabilities. To him, organizations that onboard these tools without the appropriate protections are on a “perilous, slippery slope.”

Where to go from here

Though healthcare’s cybersecurity posture is riddled with weaknesses, it’s still important to give credit where it is due. Many providers — especially large health systems and private equity-backed physician groups — have stepped up to the plate and made important changes to improve their cybersecurity posture in the past couple of years, such as hiring more staff members and implementing new frameworks, said Steve Cagle, CEO of Clearwater, which offers software for cybersecurity and compliance.

Still, while many organizations have improved their cybersecurity programs, good security today probably won’t be good enough tomorrow due to evolving threats, he warned. 

Going forward, Cagle recommended healthcare organizations need to turn up the dial on their cybersecurity efforts even more. He said cybersecurity needs top-down prioritization from boards and executives, and they need to develop a strong definition of what risk management looks like at their organization.

“What’s acceptable risk? That’s going to be different for a rural hospital versus a large, integrated delivery network. Is it a million dollars, or is it $10 million to get to a high level of impact? Those are all things that organizations need to spend time with and really understand,” Cagle stated.

He thinks many providers need to focus more on resilience, too. In his view, organizations must assume an attack will happen rather than could happen, and they need to have their response plans laid out accordingly.

This means regularly testing the organization’s incident response and business continuity plans, as well as figuring out what processes would be relied on when systems are down. It also means determining which systems need to be prioritized for data protection and recovery, Cagle noted.

Without this type of action, cybercriminals will continue to take full advantage of healthcare’s weak security posture, he said.

The message from experts is straightforward: The industry has made some strides in the cybersecurity sphere — but it’s not nearly enough.

Photo: boonchai wedmakawand, Getty Images