John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, said that the bad guys—hacking groups or criminal organizations based primarily in Russia, China, North Korea and Iran—have mapped the U.S. healthcare sector to find where large amounts of protected data exist outside of hospitals and health systems.
He believes third parties or technologies are being targeted because they're often clearly easier to attack than electronic health records directly.
Taking threats seriously
A report last year from technology giant IBM put the average cost of a healthcare data breach at about $11 million. Riggi said he view the estimate as too low since it includes costs worldwide.
He estimates breaches in the U.S. cost closer to an average of $20 million. If so, the 719 breaches in 2023 could have cost the industry more than $14 billion.
Magnano cites such costs as well as increasing civil lawsuits related to cybersecurity, the impact to business and erosion of patient trust as reasons executives in 2024 are starting to take a sharper look at what she calls "cybersecurity hygiene" or risk management systems.
In addition to focusing on security and internal education, she said health systems are considering the rising risk and are addressing security concerns before entering into a contract with outside vendors.
Riggi said technology needs to be more secure before it's even purchased. He said the primary responsibility for software security needs to shift to the developers.
"We shouldn't have to patch so much so often," he said.
Both experts say that government officials will need to play an increased role in addressing cyber threats. Riggi especially sees a need for more involvement on the policy level, as well as from the intelligence and defense communities.
"Unless that support from the intelligence community and [the Defense Department] increases to help law enforcement disrupt these groups, I think we will continue to see the same situation in 2024 in terms of increased attacks," he said.
The threat of AI
The role that artificial intelligence played in 2023 cyber attacks and could play in the future concerned Magnano and Riggi.
Magnano said AI will be a benefit and a threat, leading to more sophisticated breaches but also giving vendors and health systems new tools to prevent attacks.
Riggi listed three ways AI will increase risk:
- More efficient phishing attacks. He said these are already happening at a very basic level, but as AI programs learn more they will improve.
- More sophisticated malware. AI can write code that exploits known vulnerabilities quickly, he said, and help find organizations with those vulnerabilities exposed online.
- Deep fakes. Riggi said he hasn't seen much evidence of these yet, but he's concerned about scenarios like employees getting a phone call from a voice that sounds just like the company CEO asking for a password reset.
"I think we're at the beginning stages of an AI-fueled cyber arms race," Riggi said.