According to cybersecurity analysts, the healthcare industry remains a primary target for ransomware attacks, trailing behind other sectors in cybersecurity preparedness. Hospitals and healthcare organizations, despite some improvements, continue to face significant vulnerabilities in their systems.

Keith Forrester, practice manager of strategy and risk services at the cybersecurity firm Optiv, expressed his concern over the current state of healthcare cybersecurity. “It's all too often that we get into an organization and their cybersecurity program is really lacking,” Forrester told Chief Healthcare Executive®. He highlighted issues such as unpatched software vulnerabilities and the failure to implement basic defense measures.

Comparing healthcare cybersecurity to other sectors, Forrester stated, “They are behind.” This sentiment is echoed by other professionals in the field. Blaine Hebert, chief information security officer of Yuma Regional Medical Center, noted at the HIMSS Global Health Conference & Exhibition in March that the healthcare sector is lagging significantly behind the financial sector, estimating a decade-long gap.

Kevin Pierce, chief product officer of VikingCloud, pointed out the increasing digital connectivity in healthcare, linking hospitals, insurers, and various vendors, which exacerbates the cybersecurity challenge. “The attack surface is just exploding,” Pierce explained, adding that the sector is dealing with both a lag in capability and an expanding attack surface.

Recent ransomware attacks have had severe consequences. The Ascension health system attack disrupted patient care, leading to ambulance diversions, longer clinic waits, and forced clinicians to work without electronic health records. Similarly, the ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group, has caused operational disruptions and financial stress nationwide, potentially exposing private information of numerous Americans.

Greg Garcia, executive director of cybersecurity for the Health Sector Coordination Council, highlighted the growing threat in his testimony at a House subcommittee hearing in April. He noted that “healthcare cybersecurity” was an unfamiliar term a decade ago, but now the sector faces an epidemic of cyber threats, with the Change Healthcare attack being the most catastrophic to date.

Healthcare systems are lucrative targets for ransomware groups due to the value of private health and financial information on the dark web. According to IBM Security, the average healthcare data breach costs nearly $11 million, compared to $4.45 million across all industries.

Forrester emphasized the necessity of robust third-party risk management programs, noting that many breaches occur through attacks on vendors. He stressed the importance of ongoing evaluations and penetration tests to assess the effectiveness of cybersecurity measures.

Financial constraints further complicate the issue. Many healthcare organizations, already struggling financially, have limited resources to invest in cybersecurity. Forrester observed that some organizations have the necessary tools but lack the personnel to support them, exacerbating their vulnerability.

The recruitment and retention of cybersecurity professionals remain problematic. Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, indicated that healthcare, like other sectors, struggles to fill cybersecurity roles. Limor Kessem, a senior cybersecurity consultant for IBM Security, pointed out that skilled cybersecurity professionals often opt for higher-paying industries.

Despite these challenges, there is a growing recognition of the importance of cybersecurity investment. A Healthcare Information Management and Systems Society (HIMSS) report revealed that most healthcare cybersecurity budgets have increased, with organizations now spending an average of 7% of their IT budgets on cybersecurity.

Training is another critical area needing attention. Forrester criticized the inadequacy of current awareness training in healthcare, stressing the importance of regular and comprehensive training to combat sophisticated phishing attacks, which are the primary entry point for ransomware.

As ransomware groups enhance their phishing tactics with AI, making them harder to detect, Forrester emphasized the necessity of robust training programs. “Ransomware can be stopped because we know where it's coming in,” he said. Effective training is essential to equip staff to recognize and respond to these threats, thereby safeguarding patient care and organizational integrity.