
Erik Decker, VP/CISO, Intermountain Healthcare
The Healthcare and Public Health Sector Coordinating Council’s Cybersecurity Working Group has released its 2024 Annual Report, highlighting critical vulnerabilities in healthcare cybersecurity. The report underscores the Change Healthcare cyberattack as one of the most disruptive cybersecurity incidents in recent history, exposing significant weaknesses in the healthcare sector’s resilience.
According to the report, the attack demonstrated how deeply healthcare systems rely on third-party vendors for claims processing, revenue cycle management, and electronic data exchange. Organizations that depended solely on Change Healthcare struggled to maintain operations, with some facing severe cash flow challenges.
“We’ve been discussing this problem for years, but this attack made it real,” said Erik Decker, Industry Co-Chair of the Cybersecurity Working Group. “Now we know exactly how devastating a single cyber event can be to the entire healthcare ecosystem.”
Key Lessons from the Attack
The Change Healthcare incident revealed three major cybersecurity gaps in the healthcare industry:
- Chokepoints in the healthcare ecosystem: The attack demonstrated how a single vendor’s failure can cripple multiple health systems.
- Lack of coordinated response strategies: Healthcare organizations had varying levels of preparedness, leading to inconsistent responses across the industry.
- Urgency for a national cybersecurity strategy: The report emphasized the need for a government-backed framework to mitigate similar threats in the future.
The impact of the attack was not limited to IT departments. The report stated that operational continuity in affected health systems suffered. Hospitals and clinics struggled to process insurance claims and manage revenue cycle functions. This created downstream effects that disrupted patient care.
“Some providers were left scrambling to cover payroll and maintain essential services,” the report stated. “The attack exposed vulnerabilities that extend beyond data security—it became a financial and operational crisis for many organizations.”
Industry Response and Next Steps
In response to these challenges, the HSCC CWG launched the Sector Mapping and Risk Template (SMART) Task Group to identify critical dependencies and weak points in healthcare cybersecurity. The report stated that this initiative aims to map key functions, analyze risk exposure, and develop mitigation strategies.
Additionally, collaboration between the Department of Health and Human Services (HHS), Cybersecurity and Infrastructure Security Agency (CISA), and Health-ISAC has intensified, with a focus on minimum cybersecurity standards for healthcare providers. These organizations are working to create incentive programs that encourage underfunded health systems to adopt stronger cybersecurity measures.
“The Change Healthcare attack was a wake-up call,” said Anahi Santiago, CISO at ChristianaCare and a leader in the Hospital Cybersecurity Landscape Analysis Task Group. “It’s time for healthcare systems to take a proactive, not reactive, approach to cybersecurity.”
The report also highlights the need for improved incident response coordination across the healthcare sector. The Coordinated Healthcare Incident Response Plan (CHIRP), developed by HSCC CWG, provides a framework for healthcare organizations to communicate, escalate, and manage cyber incidents more effectively.
Emerging Cybersecurity Threats in Healthcare
While ransomware and supply chain attacks remain top concerns, the report warned that AI and medical device security will present new risks in the coming years.
AI Cybersecurity Risks
The AI Cybersecurity Task Group, launched in 2024, will assess the security challenges associated with machine learning-based clinical decision support tools and automated patient monitoring systems. The report stated that adversarial attacks on AI could manipulate diagnostic algorithms or disrupt automated workflows in hospitals.
“AI is becoming a core component of healthcare, but many organizations are not prepared for the cybersecurity risks it introduces,” said Rob Suarez, CISO at CareFirst and co-leader of the task group.
Medical Device Security Challenges
Another critical area of concern is medical device security and patching. The report found that health systems struggle to update legacy medical technologies, leaving them vulnerable to cyberattacks.
The MedTech Cybersecurity Task Group is working with medical device manufacturers to establish clearer protocols for patching and updating medical devices. The report stated that fragmented responsibilities between manufacturers and health systems have led to delays in security updates, exposing critical devices to threats.
“A pacemaker or an infusion pump running on outdated software isn’t just a cybersecurity risk—it’s a patient safety risk,” said Phil Englert, Director of Medical Device Security at Health-ISAC.
Cybersecurity Workforce Challenges
The report also emphasized a growing challenge: the cybersecurity workforce shortage in healthcare. Health systems, particularly smaller hospitals and rural providers, struggle to recruit and retain qualified cybersecurity professionals.
To address this issue, HSCC CWG launched an Underserved Provider Cybersecurity Advisory Group, which will work to identify solutions for under-resourced healthcare organizations. The report highlighted cybersecurity training programs, managed security services, and funding mechanisms as key areas of focus.
“Many smaller health systems simply don’t have the budget or staff to maintain a dedicated cybersecurity team,” the report stated. “We need scalable solutions that provide these organizations with access to critical security expertise.”
To-Do List
- Assess third-party dependencies: Identify vendors that are critical to operations and ensure they have robust cybersecurity measures in place.
- Develop contingency plans: Create backup processes for revenue cycle management and data exchange in case of cyber disruptions.
- Strengthen collaboration with federal agencies: Engage with HHS, CISA, and Health-ISAC to align with evolving cybersecurity guidelines.
- Prioritize medical device security: Work with manufacturers to establish clear update and patching protocols for connected devices.
- Prepare for AI-related cyber threats: Train cybersecurity teams on AI vulnerabilities and implement safeguards against adversarial attacks.
- Invest in cybersecurity training: Establish partnerships with academic institutions and workforce development programs to address staffing shortages.
- Implement an incident response framework: Adopt the Coordinated Healthcare Incident Response Plan (CHIRP) to enhance cyber resilience.
As cybersecurity threats to healthcare continue to evolve, industry leaders stress the urgency of building resilience now before another major incident disrupts patient care.
“We have the tools and knowledge to protect healthcare,” said Decker. “Now, it’s about execution.”
Share Your Thoughts
You must be logged in to post a comment.