Third-party risk management, critical infrastructure security, fraud management and cybercrime
Healthcare providers and supply chain vendors have been hit hard. What will happen in 2025?
Marianne Korbasuk-McGee (HealthInfoSec) •
December 25, 2024
2024 was a tumultuous year for cyber in healthcare. Hospitals, physicians, and their business associates have reported hundreds of healthcare data breaches, including the highly destructive Change Healthcare ransomware attack that violated the privacy of 100 million Americans.
As of Dec. 20, the Department of Health and Human Services Office for Civil Rights' HIPAA Breach Reporting Tool website lists a total of 677 major health data breaches impacting more than 182.4 million people through 2024. listed.
See also: Strategic Roadmap for Zero Trust Security Implementation
So far, the most major type of breach has been, unsurprisingly, hacking/IT incidents. The HHS OCR website on Dec. 20 shows there are 550 such hacks affecting more than 166 million people in 2024.
But none was as large as the February cyberattack on Change Healthcare, the IT services arm of UnitedHealth Group.
This incident alone, claimed by the Russian-speaking ransomware group BlackCat or AlphV, not only affected a staggering 100 million people, but also affected thousands of the company's healthcare providers. It also broke records in terms of sheer IT and business disruption. It affected customers and other entities in the sector for months (see: Change Healthcare begins notifying millions affected by hack).
Mike Hamilton, field CISO at security firm Lumifi, said the Change Healthcare attack was more unique than any previous incident due to the service's focus on a single organization and the wide range of sectors it served. He also said that it had a big impact.
“This disruption, like no other event, has caused disruption across the industry and exposed the dangers of this concentration. Providers are unable to verify patient insurance, are unable to receive payment, and are unable to access patient care. Both the financial stability of hospitals and clinics has declined.”
When it comes to data breaches, approximately 1 in 3 Americans have been affected, and in 2024, approximately 55% of all individuals were affected by a major healthcare data breach. Change Healthcare also set a dubious record – the $22 million ransom payment to cybercriminals was one of the largest such payments.
“The Change Healthcare event sent a clear message: Many of those affected had no idea how or why they were even involved in Change, and had no idea of the impact until it was too late. I didn't know,” said David Finn, a former healthcare chief investment officer. , is an advisory board member of the consulting firm First Health Advisory, and is a principal of the consulting firm Cyber Health Integrity LLC.
When it comes to attacks on healthcare providers, the largest such breach stemmed from the May ransomware and data theft incident at Ascension Health, reportedly by the Black Busta cybercriminal organization. This is what was emitted. The incident caused the Missouri-based hospital chain to take down its IT systems, including electronic medical records, for several weeks, resulting in a data breach affecting 5.6 million patients and employees.
As of Dec. 20, this breach ranks as the third-largest so far this year on the HHS Office of Civil Rights website (see: Ascension to 5.6 million people affected by ransomware hack notification).
A Dec. 20 snapshot of the HHS OCR website shows that 212 large-scale breaches reported so far in 2024 involved business associates. has been. However, these vendor incidents affected more than 131 million people, or approximately 75% of the population. This year we were affected by a major health data breach. This is primarily due to the huge impact of the hack of Change Healthcare, a breach by just one business partner.
However, other types of vendor incidents (not all cyber-related or necessarily resulting in data breaches) are also increasing in the concentration of organizations in healthcare and other industries that use certain third-party IT products and services. Indicates the risks involved.
“The CrowdStrike software update also pointed out a number of problems in the software industry and how much trust is placed in 'buyers' and how misplaced that trust can be,” Finn said. spoke.
global impact
But HIPAA-regulated companies in the U.S. healthcare sector weren't the only ones bearing the brunt of hacking incidents like ransomware and other cybercrimes.
Globally, attacks on members of the healthcare industry, including British pathology service provider Synovis, have also caused widespread disruption to several London hospitals and caused a national type O blood shortage.
“What we need to do is spend time preparing incident response plans for all functional and operational areas of the organization,” Finn said.
That means rehearsing many potential scenarios and practices, “from the boardroom to the groundskeepers,” Finn said.
These include: “How to obtain medicines when drug shelves are closed, how to move patients around the hospital when admission, discharge, and transport systems are not working, and how to move patients around the hospital when systems are down. This should include how to order and perform blood draws when the system is running, and how to order and perform blood draws when the system is down. “How do you bill, charge and communicate when your computer is not working?” he said.
Many organizations are faced with sudden and prolonged IT outages, leaving many unprepared to say, “This is not a hoax. This is exactly what is happening.'' But Finn says it's important to have a contingency plan in place. “Yes, it's not the same. It's not as fast or as efficient, but you have to be able to do it.”
The 10 largest healthcare data breaches in the US in 2024
Compromised Entity Individuals Affected Change Healthcare 100 million Kaiser Foundation Health Plan 13.4 million Ascension Health 5.6 million Health Equity 4.3 million Concentra Health 4 million Centers for Medicare and Medicaid Services 3.1 million Acadian Ambulance Service 2.9 million Sav-Rx 2.8 million WebTPA Employer Services 2.5 million Integris Health 2.4 million
After hacking/IT incidents, the second most common type of breach reported in 2024 was unauthorized access/disclosure.
As of Dec. 20, the HHS OCR website shows 107 such incidents affecting more than 16 million individuals. Some of these breaches, including the two largest incidents reported by Kaiser Permanent and Atrium Health, involved these organizations' previous use of tracking tools such as Meta Pixel on their websites. I was there.
Another incident, which Geisinger, a Pennsylvania-based health system, reported affected about 1.3 million people, highlighted the continuing risk posed by insiders.
The Geisinger case involved former employees of a business partner of Nuance Communications, an IT services provider that is part of Microsoft. In January, the U.S. Department of Justice indicted the person on one count of “obtaining information from a protected computer,” a federal crime under the Computer Fraud and Abuse Act (see: Former Nuance Employee members charged with violations affecting 1 million people).
As of December 20, approximately 6,584 major health data breaches affecting more than 746.6 million people were listed on the HHS OCR website since September 2009. This roughly equates to every American having their PHI compromised at least twice in a major health data breach. .
Looking to the future
As the industry looks ahead to the new year, experts predict that many of the same threats and other cyber issues facing healthcare in 2024, including ransomware attacks, data theft attacks, and supply chain hacks, will continue and likely worsen. are.
“In 2025, more key services will be targeted in order to cause as much disruption as possible to the healthcare sector,” Hamilton said. “Criminals and nation-states now have a roadmap to broadly destabilize populations, and this has become a strategic goal for several countries.”
Other notable evolving trends, other experts predict, include the Internet of Medical Things, telemedicine security, and threats and risks related to artificial intelligence in diagnostics and other medical activities.
“Sustained growth in telehealth services is driven by the growing need for accessible healthcare solutions,” says a recent study by security firm Optiv.
“Remote patient monitoring and mobile health technologies are essential to this change, but they also increase the risk of exposure to vast amounts of confidential patient records,” the report said.
Additionally, incorporating AI in diagnostics and care “raises ethical concerns about AI transparency, with the risk of inaccurate results due to reliance on pre-trained data models with limited visibility of training data.” ,” the report states.
Max Henderson, vice president of digital forensics and incident response at security firm Pondurance, said one of the most notable trends that will continue into 2025 is the shift away from traditional attack vectors such as email attachments to users. He said it was a transition.
“More than 75% of our incidents now result from remote access, such as VPNs, or the exploitation of security vulnerabilities in unpatched devices,” he said.
“I think we will see a significant shift in communication and requirements for restoring connectivity with vendors such as pharmacies and radiology as potential interconnection partners truly understand the risks at hand.” he said.
To stay ahead of these trends, Henderson asks healthcare organizations to review all authorized VPN users for outdated accounts or accounts that don't require multi-factor authentication, and to ensure security at the perimeter. We recommend making sure the patch is applied.
Meanwhile, some experts predict that cybersecurity issues will be in flux as the U.S. healthcare industry prepares for an uncertain regulatory environment in 2025.
“Given that we have a new administration, everything we thought was going to happen is likely to change. We all have to be prepared, just like the health care providers themselves,” Finn said. .
“Be conscious and continue to maintain your professional networks. We are not going to change this individually. We will only change it by working together,” he said.
“Work with all the groups within your organization, across the community, and across cyber in this space,” Finn said.
