Cyber In Healthcare in 2024: Last year was one of the worst years ever for cyberattacks on healthcare organizations. According to John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, the number of people affected by attacks broke records, with US federal data indicating that around 106 million people were impacted by a healthcare data breach, more than double when compared to 2022.
For years, hackers have targeted hospitals and other providers, stealing confidential patient information or demanding ransom payments for stolen data. Now, in 2024, the cybersecurity industry is advising the healthcare sector to brace itself for a surge in AI-powered cyberattacks, which will be more advanced and sophisticated than we’ve ever seen before. Use of natural language processing tools, powered by AI such as ChatGPT, have made it easier for threat actors to create and distribute highly targeted and personalized phishing emails, while AI-driven attacks mimic normal network behaviour, bypassing standard detection systems.
The advancements in AI and automation will make it easier for malicious actors to carry out attacks, lowering the bar for entry to cybercrime. Meanwhile, healthcare providers typically have sprawling networks of old and out-of-date IT and IoT systems that need to connect with multiple partners such as medical specialists, insurance, pharmacies, public and population health centres, and more. The public sector is particularly burdened by a huge technical debt brought about by the failure to replace end-of-life and legacy technologies.
Yet, medical and healthcare IoT devices – devices used to diagnose, monitor, manage, and treat medical ailments – make up three-quarters of hospitals’ connected endpoints, putting patients at extreme risk if such equipment is compromised by hackers.
Furthermore, healthcare delivery organizations are also filled with other connected building management systems that control and monitor elevators, CCTV cameras, hallways and doorways, and HVAC systems designed to maintain clean rooms and control the spread of airborne pathogens. This interoperability between different healthcare IT systems, as well as integrations with medical and healthcare IoT devices and suppliers means an increasing attack surface which in 2024 will continue to grow in size and complexity.
Worldwide, the healthcare IoT market is projected to reach $108bn by 2024, as a greater number of hospitals adopt smart medical devices and remote patient monitoring systems. With increased
connectivity comes an increase in attack vectors for cybercriminals to exploit to penetrate networks, disrupt data, and imperil medical devices and patient safety.
Despite this, healthcare providers tend to have a largely inaccurate inventory and understanding of the assets that connect to their medical networks, making them unaware of the risks these devices pose.
It’s no wonder that IT leaders in healthcare regularly report cyberattacks as the one threat that keeps them awake at night. As we enter a predicted storm of AI-driven cyberattacks this year, hospitals and health systems must make cybersecurity a top priority. Healthcare leaders must understand the risks and the need for continuous investment in bolstering defense strategies to defend against rising risks this year, including:
AI-generated ransomware attacks
This year we’ll see ransomware attacks leverage AI to better identify the true value of what malicious threat actors have stolen, then use this insight for more effective extortion of both healthcare organizations and their most high-profile clients.
Deepfakes
Deepfakes manipulate media, using deep generative tech to clone a person’s likeness, usually their face or voice, and these types of attacks are likely to become increasingly prevalent in 2024. As a result, we will see criminal gangs copy the likeness of a healthcare leader, CEO, or even patients to trick recipients into opening an email attachment or clicking on a link. This could be, for example, a video or phone message to a member of staff to open a document or to pay an invoice. Knowing who to trust and how to deliver patient information will become ever more challenging in the future.
State-sponsored cyber attacks
As conflict across Europe and the Middle East continues, cyber espionage by pariah nation-states against critical healthcare systems remains a real threat in 2024. For example, the Russian hacktivist group Killnet launched multiple Distributed Denial of Service (DDoS) attacks on the US healthcare system in 2023 in protest against US support for Ukraine. In one of the group’s latest attacks in November 2023, websites of at least 14 organizations were targeted, including Stanford Healthcare in California, Duke University Hospital in Durham, North Carolina, and Cedars-Sinai Hospital in Los Angeles, California. This was the second co-ordinated attack by the group upon the US healthcare system in just two months. And already in January of this year, we saw reports where the same group claimed responsibility for several attacks on Ukrainian sites.
Regulations
In 2024, we will see regulators making strides to strengthen laws in line with modern cybersecurity threats. Proposed regulations in New York state could require hospitals to establish a written cybersecurity program to supplement existing HIPAA security and privacy requirements. These
organizations will also have to designate a Chief Information Security Officer (CISO), perform risk assessments, utilize multifactor authentication, and submit cybersecurity incident reports to the New York State Department of Health (NYSDOH).
Furthermore, the United States Department of Health and Human Services (HHS) has proposed updating the HIPAA Security Rule in 2024 to strengthen requirements for HIPAA-regulated entities to safeguard individuals’ electronic personal health information from cybersecurity threats. The national standards were last updated in 2003. Today, however, there are more sophisticated frameworks, including the NIST Cybersecurity Framework, which healthcare settings can use to develop their cybersecurity program.
Mitigating risks
There is much that can be done to mitigate risks to public and private healthcare services from cyber espionage. The assistance of the government through enforcing regulations and aggressively targeting cybergangs will significantly help. However, greater investment is needed to ensure that heads of IT in healthcare have a better understanding of what assets connect to their medical networks and the risks they pose. While identifying PCs, laptops, and servers on a system tends to be fairly straightforward, it’s more challenging to do the same for healthcare IoT, especially medical devices that can’t be easily scanned for vulnerabilities.
This is where AI can be used positively to protect. Next-generation cyber security tools use machine learning to identify and profile a healthcare setting’s IT infrastructure, including IoT devices, along with any vulnerabilities and risks. They do this by using adaptive data type analysis to passively identify accurate device characteristics without damaging or destabilizing endpoints. In so doing, true risks can be identified, and baseline network activity established for the immediate identification of suspicious or anomalous activity.
IoT security tools should be highly automated as well as seamlessly integrated with existing security tools to quickly remediate risks before patients are placed at clinical risk. This includes network access control capabilities to segment and isolate at-risk medical devices, and to ensure the continued safe use of otherwise risky systems that cannot be easily replaced because of budget constraints. Tools also need to provide improved reporting capabilities for senior management and government. But most critically, new tools need to be implemented immediately given risks, rising attacks, and a tsunami of medical devices being continuously deployed across hospitals this year and beyond.
Editor’s Note: Ryan Gonzales is Vice President of Solutions and Security Services at Cylera