Health

Healthcare Cybersecurity – 2024 Health IT Predictions

As we kick off 2024, we wanted to start the new year with a series of 2024 Health IT predictions.  We asked the Healthcare IT Today community to submit their predictions and we received a wide ranging set of responses that we grouped into a number of themes.  In fact, we got so many that we had to narrow them down to just the best and most interesting.  Check out our community’s predictions below and be sure to add your own thoughts and/or places you disagree with these predictions in the comments and on social media.

All of this year’s 2024 health IT predictions (updated as they’re shared):

And now, check out our community’s Healthcare Cybersecurity predictions.

Scott Lundstrom, Senior Healthcare Strategist at OpenText Cybersecurity
Accelerated move to zero trust: The healthcare industry is struggling against a dramatic increase in malware and ransomware attacks. Large volumes of personal information and dated security infrastructure make these organizations targets for cyber criminals. Defending against these attacks must be a top priority for healthcare cybersecurity professionals.

In 2024, the attack surface will continue to grow. With support for multi-cloud deployments, telemedicine and personalized health, patient and clinician devices, and IoT devices deployed in the home, perimeter security will no longer be enough. I predict healthcare organizations will accelerate their deployment of zero trust architectures to defend against increased attacks and expanded attack vectors. Hospitals initially will focus on improved identity management, authentication, continuous verification, and fine-grained access controls. |Integrated zero trust solutions should quickly gain ground in this market as hospitals try to upgrade their networks to support modern care delivery.

Jennifer Hennessy, Partner at Foley & Lardner LLP
In 2024, regulators will make efforts to better align laws with modern cybersecurity risk – and organizations will need to assess their cybersecurity programs for compliance with these updates. For example, HHS is proposing to update the HIPAA Security Rule in 2024 to strengthen requirements for HIPAA regulated entities to safeguard electronic health information from cybersecurity threats. The HIPAA Security Rule was drafted in 2003 and has not been substantively updated since that time. Health care organizations generally use other more sophisticated frameworks (e.g., the NIST Cybersecurity Framework, ISO 27001/27002, SOC2, etc.) to build out their cybersecurity program.

Organizations will also take a harder look at the cybersecurity posture of potential vendors during the vendor selection process. Many health care organizations have dealt with the fall out of incidents that occurred at a vendor – having to notify patients and regulators of the incidents and even facing litigation as a result. This has taught organizations that they are only as secure as their weakest vendor.

Navroop Mitter, CEO at ArmorText
Prediction 1: ransomware gangs will use AI to find your crown jewels

The evolution of ransomware, now further enabled by AI and Large Language Models, will continue. In its first iteration, ransomware would encrypt and extort. In its second iteration, that transitioned to exfiltrate and extort, making attacks faster and simpler for threat actors and reducing the value of backups to victims, hoping to avoid having to pay ransoms.

But, in its next iteration, ransomware will further evolve to an exfiltrate, evaluate, and extort approach, where evaluation (really valuation) will be aided by AI. Ransomware gangs will leverage AI to better determine how to best value what has been stolen (e.g. health records – writ large vs. for specific individuals) enabling more effective extortion of both healthcare institutions and their most high-profile clients.

Prediction 2: deep faked CEOs and Patients

Dramatic improvements in the quality of generated voice and video of real-life persons coupled with further improvements in Generative AI and Large Language Models to automatically assess and replicate the nuances of how individuals communicate, both orally and in written form, will enable novel attacks for which most organizations are severely underprepared.

Over the next 24 months, healthcare organizations will face attackers mimicking their executives and high-profile patients, not just by email spoofing but with perfect AI-driven mimicry of their voice, likeness and diction. This will present multiple challenges — increased difficulty in determining who to trust during incident response as well as determining when to deliver sensitive diagnosis and treatment plans when not face-to-face with patients. How will companies distinguish between The Real McCoy and near perfect imposters?

Existing policies and procedures designed around handling rogue executives won’t apply nor will some of the current methods for authenticating patients remotely.

Prediction 3: the trend of vendor consolidation will end.

Regulatory drivers such as updated SEC rules in the US and Europe’s NIS 2 and DORA will further the conversation about adoption of out-of-band communications for right-of-bang incident response. But, coupled with continued evidence that improvements to detect and contain attacks has stagnated, organizations will begin to re-evaluate the use of more secure out-of-band communications options for use prior to an incident (left-of-bang). They will draw inspiration from defense and intelligence practices around the world that segregate communications by sensitivity level to channels / platforms with the appropriate commensurate levels of security protections, which I call a Tier & Protect Strategy ™.

Erik Littlejohn, CEO at CloudWave
A New Rationalization of Cybersecurity Resources – There has recently been a shift in the approach towards cybersecurity funding as the “blank checks” for resources begin to dry up. I expect that to intensify further throughout 2024.

The tumultuous events of 2020, the widespread shift to remote work, and the surge in cyber events in healthcare and other vital industries left many organizations reevaluating their cybersecurity strategies and making substantial investments in new technologies and tools to shore up defenses quickly. Fast forward to today, and organizations realize that investments in specific tools may not have yielded the expected results or that some of the technologies implemented may overlap. This has led to reexamining many of those tools, focusing on eliminating redundancies and optimizing functionality.

For example, hospitals are tightening budgets, giving way to a more rationalized approach to managing cybersecurity resources. This shift prompts organizations to scrutinize their portfolios and reconsider how to manage cybersecurity investments better–emphasizing the need for efficiency and effectiveness of what they already have versus additional spending–identifying areas where expenses can be trimmed without compromising security. The goal is to have a comprehensive cybersecurity program and to ensure that each aspect is optimized for maximum effectiveness. It’s also essential to have the capability to monitor systems 24/7 to identify threats and respond rapidly. Having the tools is important, but if you don’t have a team or partner to monitor and react appropriately, they provide little value.

As we move through 2024, expect the streamlining of cybersecurity portfolios for increased efficiency to continue as organizations realize that a leaner, well-integrated set of tools can often outperform a disjointed array of cybersecurity solutions. This shift towards efficiency is both a cost-saving measure as well as a strategic move to enhance overall security posture. It’s not just about having the latest and greatest tools; it’s about a more thoughtful and strategic approach to security, having the right tools implemented in the right way, to create a robust and efficient cybersecurity program that can adapt to the evolving threat landscape.

Cybersecurity Regulations and Funding are Increasing at the State Level – New York recently proposed regulations that will require hospitals to implement robust infrastructure to prevent cyberattacks, along with allocating $500 million in funding to help upgrade technology systems to meet the proposed rules. This includes requirements to establish policies for evaluating and testing the security of third-party applications, develop incident response plans, and perform testing of those plans to ensure that patient care continues in the event of a disruption, among others.

The proactive stance New York is taking to provide funding for this should be an example for other states to follow suit in 2024. While larger hospitals may be able to absorb these costs more easily, smaller, rural, and financially constrained hospitals often lack the financial resources or personnel to meet increasing cybersecurity demands. As regulations increase, collaboration between stakeholders and industry players will be crucial to ensure that all healthcare facilities, regardless of size, can meet and exceed the cybersecurity standards necessary in today’s threat landscape.

Steve Gwizdala, VP of Healthcare at Ping Identity
For five years running healthcare organizations have been the number one target for threat actors, and breaches are the costliest when compared to all industries at an average of $10.93 million per incident. The primary cause of breaches is unauthorized access.

Basic forms of authentication often rely on personal identifiable information (PII), such as social security number (SSN), birthdate, and address. This information is attractive to criminals because it is widely used to authenticate a person’s identity, is difficult to change, and can be used to commit fraudulent claims for health equipment, services, and prescriptions.

The good news is that more companies and consumers are turning away from using PII for authentication in lieu of a more convenient and secure form – digital ID cards. As digital identity strategies mature, digital IDs will be managed in a decentralized structure – where the authentication validator never actually acquires or stores the authentication data, only confirms it. This means that health organizations will no longer request, house, or manage PII, thereby decreasing their vulnerability and attractiveness to cybercriminals. Further, as digital wallets evolve to include digital insurance cards, payment methods and more, there is less concern with this sensitive information getting in the wrong hands.

The use of decentralized identity and digital ID cards are key for health security leaders to include in their strategic planning. Digital IDs offer superior security and user experience, and better tamper resistance due to the stronger link between the physical person and their digital identity. They also offer expedited revocation or deactivation of access.

Jason Stewart, Virtual Information Security Officer at Fortified Health Security
My prediction for cybersecurity in healthcare in 2024 is that threat actor activity is not going to slow down. With the United States currently involved in multiple overseas conflicts, as well as recently joining the multi-country pledge to stop paying the ransom for ransomware attacks, I highly expect threat actor activity to increase overall. Specifically, I think we’ll see evolved social engineering methods, next generation phishing techniques, expanded business email compromise attacks, and next generation ransom platforms continuing to appear.

Even though this is just a prediction, it’s imperative for hospitals and health systems to elevate the priority of cybersecurity within their organization, including: refining their data governance practices, ensuring all PHI storage (especially legacy data storage) is properly secured and decommissioned according to best practices, removing outdated and unsupported equipment from their environments, properly staffing their IT and IT security departments with knowledgeable resources, allocating appropriate budget to ensure that outdated clinical systems are maintained on a supported platform, and investing heavily in regular user education for all new types of threat vectors. Every month should be cybersecurity awareness month moving forward. End users are the primary and front-line defense against threat actors so it’s vital to ensure that they stay alert and know exactly what to look out for when going about their day.

Andrew Bayers, Head of Threat Intelligence at Resilience
Healthcare breaches have doubled in the past three years, and the industry is a leading source of cyber insurance claims. Recent examples like the hack on Prospect Medical Holdings, have once again put the spotlight on the cost of cybersecurity lapses. Despite major moves made to stem the tide of cyberattacks – like New York’s proposed cybersecurity regulations for hospitals – this trend shows no signs of slowing down as we head into 2024.

Healthcare organizations are not alone in facing this challenge, it maps to a larger trend in cybersecurity: the rapid rise in ransomware over the past year. Ransomware can be incredibly damaging to healthcare systems, taking operations to a standstill and even endangering patient lives. To mitigate this threat, organizations need to take actionable steps to improve their cyber hygiene, including maintaining and testing immutable backups, implementing incident response protocols, and more.

Jeff Stravers, Virtual Chief Information Officer (vCIO) at Anatomy IT
Protecting information systems and data from cyberattacks is top of mind in 2024. This is driven not only by the higher volume of attacks we are seeing across the industry, but also by the noticeable spike in phishing and other attempts. It seems that the threat actors have switched strategies from targeting only the largest health systems in the country to aiming their attacks at the middle market and smaller health systems and hospitals.

Rodman Ramezanian, Global Cloud Threat Lead at Skyhigh Security
The healthcare sector remains a significant focal point for cyber threats, primarily because of the sensitive information it handles. The swift progress and global development of healthcare systems, facilitated by cloud computing, hybrid work models, and artificial intelligence, create an expanded landscape for cybercriminals to exploit. The intricate interconnectivity required among healthcare providers and their systems to serve distributed populations amplifies the potential attack surfaces, providing threat actors with extensive opportunities to carry out cyber attacks.

Healthcare organizations are increasingly using electronic health records (EHRs) and other digital systems to store and manage patient data. This makes them more vulnerable to cyberattacks, as cybercriminals can exploit vulnerabilities in these systems to gain access to sensitive data. This threat is exacerbated further by the increasing prevalence of cloud and remote computing systems, essential for accommodating the expanding requirements of distributed healthcare providers.

Kate Pierce, Senior vCISO & Executive Director of Subsidy Program at Fortified Health Security
My prediction for 2024 is that the cybersecurity workforce gap will continue for at least five years. There is certainly never a shortage of work to be done in cybersecurity, but we’re likely in it for the long haul when it comes to overcoming the cybersecurity workforce shortage.

According to the ISC2 Cybersecurity Workforce Study, 2023, the U.S. had a cybersecurity workforce shortage of over 480,000 workers. While this issue has gained the attention of the government, leading them to release the National Cybersecurity Workforce and Education Plan, the reality is that it will take a significant amount of time to bridge this gap. Once we do, we may see it hold steady for a while before we actually see the gap declining.

Matt Eisendrath, President and Chief Commercial Officer at Full Spectrum
Strategic companies will prioritize Cybersecurity. Cybersecurity is a known concern and is imperative for getting your medical device to market, especially considering the FDA’s new guidance in 2023. It is well known that failure to meet these standards can result in costly fines, reputational damage, and delayed time to market. As cyber threats continue to evolve, proactively addressing cybersecurity concerns is not only a moral obligation but also a business necessity for medical device companies.

John Chenoweth, Chief Product Security Officer at Elekta
We predict healthcare providers will continue to prioritize security in 2024, largely due to increased cybersecurity risks to the healthcare ecosystem. Organizations must stay proactive and adapt quickly as technology becomes more powerful. Managed security services and internal security teams can help by identifying and reacting to threats quickly, as well as implementing patches, pushing updates, and ensuring systems are up-to-date – freeing in-house IT departments from this burden.

Priscilla Sandberg, Senior Healthcare Strategic Alliances Manager at Pure Storage
In 2024, we can expect the frequency and sophistication of cyberattacks to increase. Healthcare organizations, including payers, will need to shift their focus toward implementing a comprehensive disaster recovery and data resiliency plan that enhances their ability to detect, protect, recover, and maintain their vital healthcare data to avoid or mitigate the disastrous impacts of unexpected events or disruptions. These potential events include malware, software bugs, cyberattacks, natural disasters, and most commonly human errors. There are not only financial ramifications for payers and providers due to data leaks but additionally, these organizations lose the trust they need with their members and patients in order to serve their constituents and move their business forward.

Creating a tiered resiliency architecture that can restore operations quickly and efficiently when – not if – an organization suffers a cyberattack should be a priority in 2024 to ensure the best care is provided to their members and patients while engendering trust and partnership with all of their stakeholders.

Ty Greenhalgh, Industry Principal, Healthcare at Claroty
As cyberattacks against hospitals continue to compromise patient privacy and mortality, conversations around state level cybersecurity regulations will rise in consideration in 2024. As the state of New York awaits a decision on its proposed draft rules for general hospitals to develop incident response plans and assess cybersecurity risks, other states where hospitals are similarly falling victim to cyberattacks will be called upon to follow suit should the regulations be approved.

Be sure to check out all of Healthcare IT Today’s Healthcare Cybersecurity content and all of our other 2024 healthcare IT predictions.

Get Fresh Healthcare & IT Stories Delivered Daily

Join thousands of your healthcare & HealthIT peers who subscribe to our daily newsletter.