In 2024, cybersecurity was a major challenge for the healthcare sector, with multiple high-profile attacks. One attack, which exposed data from a record-breaking 100 million Americans, was a “milestone event” that highlighted how interconnected the healthcare industry is, according to Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center.
Cybersecurity proved to be a major challenge for the healthcare sector in 2024, and organizations are taking notice, experts say. But bringing the industry’s cyber protections up to snuff will take time — and hackers are unlikely to stop targeting healthcare firms.
The industry is coming off a year that included multiple high-profile attacks. In early 2024, the entire healthcare ecosystem struggled to manage the fallout from the cyberattack against Change Healthcare, a technology firm and claims processor owned by industry giant UnitedHealth.
The attack — which exposed data from a record-breaking 100 million Americans — was a “milestone event” that highlighted the interconnected nature of the sector, said Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, or Health-ISAC.
“I think the wake-up moment there was how suppliers could have a single point of failure impact on delivery of healthcare,” Weiss said.
Read the full article in Healthcare Dive. Click Here
The New York Blood Center (NYBC) said it suffered a ransomware attack that disrupted operations and forced it to reschedule some operations.
Cyber attacks on blood donation centers have prompted the Health Information Sharing and Analysis Center (Health-ISAC) and the American Hospital Association (AHA) to issue a joint threat bulletin warning of potential supply chain disruptions.
“The recent ransomware attack on the New York Blood Center (NYBC) serves as a wake-up call for organizations across sectors, particularly those in critical services such as healthcare,” said Roei Sherman, Field CTO at Mitiga. “As one of the world’s largest independent blood collection and distribution organizations, this incident undermines not just their operational capacity but potentially jeopardizes public health.”
Errol Weiss, chief security officer of the Health-ISAC in the U.S., said the EU commission’s action plan comes at a time when healthcare organizations still struggle to obtain enough funding to defend their networks properly.
“The problem is seen in the EU, the U.S. and globally. Healthcare organizations need resources – not only the technology needed to protect those networks but also the experienced infosec professionals to run those systems,” he said. “I’m glad the commission recognizes the value that ISACs bring to protecting organizations and improving security through information sharing and collaboration,” he said.
Those charged with protecting their digital infrastructures understand that by sharing information, they are not only protecting themselves but also strengthening the security of the entire digital ecosystem, Weiss said.
In 2023, the Health-ISAC partnered with the European Health ISAC to leverage “the global strength” of Health-ISAC’s membership through the visibility of threats in over 140 countries with the European Health ISAC’s strength of community and local perspectives, he said.
“We need to unite and stay vigilant against cyberthreats,” he said. “With Health-ISAC and European Health ISAC operating together in the EU, we can create a safer community where healthcare organizations benefit from improved visibility of threats and vulnerabilities, plus they benefit from sharing of best practices and other key insights that ultimately improve patient safety.”
Read the full article in Data Breach Today. Click Here
The HSCC’s “Health Industry Cybersecurity – Managing Legacy Technology Security” – or HIC-MaLTS – guidance offers organizations best practices that can be used to manage cyber risks of legacy medical technologies, said Phil Englert, vice president of medical device security at the Health Information Sharing and Analysis Center.
HIC-MaLTS takes on common healthcare cybersecurity challenges. For example, “many different types of medical devices and the diverse locations in which they are used possess unique risk profiles and include diagnostic, therapeutic, wearable, implantable and software-as-a-medical device features, among others, that can be used in hospitals, clinics, and other non-clinical and home healthcare settings,” he said.
Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) has been the cornerstone of patient privacy. The act established standards for how healthcare organizations handle and share patient data, creating a framework for ensuring confidentiality.
But the healthcare landscape has transformed dramatically, and with it, the risks have multiplied. Emerging cyber threats and complex vulnerabilities have exposed critical gaps in HIPAA’s protections. In response, lawmakers are advancing new legislation aimed at fortifying healthcare organizations against the escalating tide of cyberattacks.
Last year, lawmakers introduced two bills – the Healthcare Cybersecurity Act of 2024 and the Health Infrastructure Security and Accountability Act of 2024 (HISAA) – aimed at modernizing protections for sensitive health data. While these measures represent an important step forward, they remain stalled in the legislative process and have yet to become law.
And, even if they are enacted, the limited scope and enforcement mechanisms outlined in these bills may fall short of addressing the escalating cyber threats plaguing our increasingly digital healthcare system. Without a more comprehensive and aggressive approach, these initiatives risk being seen as symbolic gestures in a fight that demands urgent and decisive action.
Phil Englert and our host Chris Blask have been co-chairing a CISA working group on software bill of materials (SBOM) sharing. The working group has developed a process to help ISACs and similar organizations determine the control architecture necessary to manage the distribution of SBOMs among their members.
Since the beginning, HIPAA has always been the best, yet insufficient, regulation dictating cybersecurity for the healthcare industry.
“[There’s] a history of the focus being in the wrong place because of the way HIPAA was laid out in the mid-1990s,” says Errol Weiss, chief information security officer (CISO) of the Healthcare Information Sharing and Analysis Center (Health-ISAC). “At the time, there was this big push to transfer medical and health records to the electronic medium. And with the advent of the HIPAA regulations, it was all about protecting patient privacy but not necessarily securing those records.”
HIPAA’s focus on privacy limited its ability to address more diverse cybersecurity threats in the 2010s, particularly ransomware. Meanwhile, instead of using it as a baseline for developing a robust security posture, organizations tended to treat HIPAA more as a set of boxes to check. “It ended up driving budgets toward compliance and not necessarily security. And in the past five or six years, we’ve seen what happens in an environment that’s not properly secured, not properly tied down, not properly backed up, when they’re hit by ransomware,” Weiss says.
“Even if they’re already following all the NIST controls,” Dispersive’s Pingree estimates, implementing the new HIPAA security rules “could cost as low as $100,000 for a small doctor’s office, or it could be many millions if you’re a big medical group.”
One possible way stretched healthcare organizations might navigate all these new rules and their associated costs is with an outsourced, virtual chief information security officer (vCISO), according to Weiss. Because “it’s not just about buying the technology. It’s also about recruiting and retaining the cybersecurity expertise that you need to run,” he says.
“These organizations don’t know where to start,” he continues. “The cybersecurity market is very confusing. There are a lot of players. There are a lot of solutions. So if you have $100 to spend on cybersecurity, where do you spend that? They need help to be able to figure all of that out. And I think something like a virtual CISO can help implement a strategy, and then be around on a virtual basis — to check in, to be a resource for that organization when they have questions and they need some help. It seems like a decent model for these small rural hospitals that could not necessarily justify or hire a full-time CISO.”
A proposed overhaul of federal cybersecurity regulations for the healthcare industry could mean difficult and expensive heavy lifting for many organizations, said experts.
“The costs to fulfill these provisions will be enormous,” said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center. “Where is the money coming from to pay for all this? It can’t be from future savings from avoided breach penalties. Financially strained healthcare providers, especially small rural hospitals, don’t have the resources to support these new proposals,” he said.
Any regulatory requirements like this will need to come with funding assistance so that healthcare providers can acquire the proper technology and, more importantly, recruit and retain experienced cybersecurity professionals to adequately protect their networks, Weiss said.
Cyberattacks on healthcare organizations disrupt their ability to operate and jeopardize patient care. Rural healthcare systems in the US serve 60 million people and are at the heart of countless communities. The safety of everybody in a community is threatened when critical healthcare information systems are unavailable due to cyber incidents.
Google is committed to helping vulnerable health systems strengthen their resilience to cyberattacks. We are partnering with government and industry to offer our services, support, and technologies, enabling systems to focus on patient care.
Rural health systems and hospitals reflect the uniqueness of the communities they serve, and so does our offer. It delivers a growing set of secure-by-design Google technology for access and collaboration, consulting and support services, and security training resources at a discount or no cost. The solution is adapted to the needs of each rural health entity. The health facility should be located in a county or region designated as rural by the Health Resources and Services Administration (HRSA).
Effective collaboration to defend against and respond to cyber attacks is vital to securing healthcare. Google is an ambassador partner to the Health Information Sharing and Analysis Center (Health-ISAC). Health-ISAC’s mission is to empower trusted relationships in the global healthcare industry to help prevent, detect, and respond to cybersecurity and physical security events so that members can focus on improving health and saving lives. Google is partnering with Health-ISAC to deliver innovative training programs, cybersecurity intelligence programs, and other resources for rural health systems.
Most of these will be offered at no cost or with significant discounts, acknowledging the financial constraints faced by many rural healthcare systems. Additionally, we will provide implementation services and support to eligible organizations. These offerings are only available in the US at this time.
We sat down with Health-ISAC Chief Security Officer Errol Weiss to discuss his 25-year career spanning banking, government, and healthcare and identify the biggest cybersecurity threats and trends impacting the healthcare industry in 2025 and beyond.
Listen to episode #71 here: Listen Here
Unique Challenges in Healthcare Cybersecurity
Weiss described the unique challenges faced by healthcare organizations compared to financial services. Healthcare systems often manage complex infrastructures, including modern cloud-based systems, legacy devices (like MRI machines with outdated operating systems), and diverse medical device ecosystems. This complexity is compounded by a longstanding underinvestment in cybersecurity, with resources historically allocated toward privacy and compliance (e.g., HIPAA regulations) rather than robust security measures.
He stressed that underfunding and a lack of dedicated Chief Information Security Officers (CISOs) in healthcare make it challenging to protect these environments effectively. However, incidents such as ransomware attacks have driven increased awareness and investment in healthcare cybersecurity over the past decade.
Healthcare data breaches are reaching unprecedented levels, with attacks that target the industry surging in both frequency and sophistication. Cybercriminals are zeroing in on vulnerabilities across healthcare systems, exploiting outdated and unpatched systems to steal and manipulate sensitive patient data.
From medical histories to genomic information, this data has immense value, making it a lucrative target for ransomware, phishing schemes, and insider threats. As healthcare organizations scramble to shore up defenses, the risks extend beyond financial losses to jeopardize patient safety and trust.
The urgency is exemplified by two landmark pieces of legislation—the Healthcare Cybersecurity Act of 2024 and the Health Infrastructure Security and Accountability Act of 2024 (HISAA). These laws aim to confront the mounting threats, but they also raise critical questions: Can they outpace the rapidly evolving tactics of cybercriminals? Are they enough to close the gaps left by outdated regulations like HIPAA?