Navigating Healthcare Cybersecurity in 2024: Predictions and Strategies
The 2024 healthcare cybersecurity forecast signals a crucial need for preparedness. Looking back at the tumultuous cybersecurity landscape of 2023, it's evident that cyberattacks have not only grown in frequency but have also become significantly more sophisticated. This continuous evolution poses a profound challenge to traditional defense models across various sectors. Among these, the healthcare industry in particular has become a target for malicious groups seeking not just financial gain, but also life-threatening disruptions to patient care. This presents a major challenge to patient safety.
2023 Cyber Landscape Overview
The healthcare sector's vulnerability stems from its rapid digital transformation and the abundance of valuable medical intellectual property and personal health information. With the escalating adoption of IoT (Internet of Things) and connected medical devices, coupled with the complexity of health IT applications, the attack surface for healthcare delivery organizations has expanded substantially. This expansion translates to heightened susceptibility to cyberattacks, affecting the seamless treatment of patients.
In early 2023, the healthcare sector ranked as the third most targeted industry globally by cybercriminals, experiencing an average of 1,634 malicious attack attempts per week. Overall, the first half of 2023 malicious activity soared, with an 8% surge in weekly attacks in the second quarter alone.
The gravity of these attacks became starkly evident in the financial aftermath, with the average cost of a healthcare cyberattack soaring to a staggering US$11 million—an alarming 53% increase since 2020. Beyond monetary implications, these breaches inflicted irreparable reputational damage, increased patient morbidity and mortality rates, disrupted operations, and led to the theft of sensitive protected health information (PHI).
Healthcare Cyber Threat Severity
According to a paper from the University of Minnesota School of Public Health “From 2016 to 2021, [it is] estimated that ransomware attacks killed between 42 and 67 Medicare patients.” Yet, amidst a tighter economy and pressure on provider finances, and despite an escalating threat landscape, some healthcare boards currently contemplate downsizing security teams, posing an even greater critical risk to patient care, patient safety, and data security.
As cyber threats continue to escalate, the imperative for healthcare organizations to prioritize cyber resiliency becomes glaringly evident. The cost incurred from a data breach now far outweighs any cybersecurity investment to effectively defend against attacks. The scale and impact of cyberattacks in 2023 emphasizes the urgent need to bolster cyber resilience to counter modern-day threats, fortify patient care, and meet compliance standards.
Key 2023 Healthcare Cyberattacks
Reflecting on significant breaches in 2023, incidents like the Colorado Department of Healthcare Policy and Financing breach exposed 4 million data records. However, the most significant breach of was by 23andMe, a non-HIPAA-covered entity, impacting 6.9 million user profiles comprising personally identifiable and genetic data. This incident underscored the vulnerability of shared passwords across multiple services.
To read more about cyber trends and threats in 2023 check out our blog here.
Looking Ahead: 2024 Cybersecurity Predictions
Anticipating the cybersecurity landscape in 2024 reveals the following critical trends poised to shape healthcare cybersecurity:
Social engineering and deepfakes will continue
Expect the proliferation of social engineering tactics and the utilization of deepfakes, contributing to a surge in business and vendor email compromises (BEC & VEC) across the healthcare sector. Cognitive conditioning prevents us from challenging what we see, hear, or learn from people we associate with. This is leading to a rise in BEC & VEC across the wider business landscape and healthcare environment. In 2023, the FBI identified nearly $51 billion in exposed losses due to business email compromise, a $7 billion increase from 2022. These scams are thus predicted to continue to rise in 2024 and beyond.
The major disruption and damage of a cyberattack highlights the important necessity to combat these types of attacks. It’s crucial for organizations to implement robust policies and procedures that outline any potential cyber risks and the warning signals of an attack, so employees know when one is happening, and know how to reduce any risks to organizational and patient safety. These policies should also require dual-key authorization and multiple validity checks before the transfer of any money, data, or other protected information.
Offensive AI will surge
Healthcare organizations need to prepare for a rise in offensive AI-powered threats as they become more prevalent. Offensive AI attacks can include intelligent malware that can avoid detection and run automated exploits of IT system vulnerabilities, as well as highly tailored phishing emails. Just like how businesses have started to utilize AI to streamline workflows and boost productivity, cybercriminals are doing the same. AI enables faster, stealthier, automated attacks at extraordinary scale, such as mass spear phishing campaigns, which can pose a substantial threat to healthcare delivery organizations (HDOs). In fact, 91% of all successful cyberattacks start with a phishing attempt, making them highly attractive attack vectors.
Federal and state healthcare regulations will increase
We’ve seen several federal and state regulations related to connected healthcare IoT devices. Notably, in November 2023 New York Governor Kathy Hochul proposed a series of comprehensive cybersecurity regulations for the state’s hospitals and plans to increase funding to help these hospitals ensure cybersecurity maturity of their connected systems. If passed into law, these currently proposed regulations will require hospitals to develop a comprehensive cybersecurity program, among other steps, to prevent unauthorized access to their information systems.
Early last year we also saw Washington’s My Health My Data Act signed into law. This act is the country's first privacy-focused law designed to safeguard personal health data not covered by the Health Insurance Portability and Accountability Act (HIPAA). It was created to prevent sensitive health data from being collected and shared without the agreement of the customer. Under the law, regulated entities must follow specific requirements about how and when they may collect and share personal health data.
Healthcare and cybersecurity budgets will continue to be stretched
In 2024, healthcare budgets globally are expected to face increased strain. Escalating costs, declining payments, and underfunding of healthcare systems will impact services. This financial pressure will persist despite substantial hikes in health insurance premiums in the US, and due to the persistent underfunding of the UK’s National Health Service (NHS). The resulting effect creates an ominous outlook for many healthcare providers, with some facing closure due to financial pressures alone. Others will likely close permanently due to increased cyberattacks and a lack of cyber defenses or resiliency and ability to quickly recover.
Additionally, the cyber threat landscape is also very different in 2023 compared to decades ago. Weekly cyberattacks on healthcare settings have become distressingly common, reflecting the escalating sophistication of cyber threats. The lack of deterrence for cybercriminals has facilitated the rapidly growing industry of cybercrime and cyberextortion. Cyber defenders were already outnumbered in 2003, but in today’s evolving threat landscape the ratio of attacker to defender is much, much worse, indicating a critical need for enhanced cybersecurity measures and resiliency.
Cybersecurity Solutions for Healthcare Organizations
Amidst these impending challenges, healthcare organizations must fortify their cyber resilience to navigate the evolving threats effectively. Implementing comprehensive cybersecurity solutions is paramount to safeguarding patient care and data integrity.
Cylera offers cutting-edge healthcare cybersecurity processes and solutions that provide a tailored approach to address the dynamic threat landscape. The Cylera platform provides unparalleled visibility, high-fidelity medical IoT security, and usage intelligence. It prioritizes risk scoring and guides threat remediation, enabling organizations to mitigate risks, enhance operational productivity, ensure compliance audit-readiness, and advance cyber program maturity.
As healthcare organizations navigate the evolving cyber landscape, Cylera offers cybersecurity processes and solutions to safeguard against 2024’s anticipated threats. Reach out to the Cylera team at Contact Cylera or visit https://cylera.com/platform/how-cylera-works/ to explore how Cylera can empower healthcare organizations to proactively defend against cyber threats in the upcoming year. In the relentless pursuit of cybersecurity resilience, healthcare organizations must adapt, fortify, and proactively defend against the evolving threats poised to challenge patient care and data integrity in the year ahead.
