With stakes higher than ever, healthcare cybersecurity must rise to meet the moment

DARPA and ARPA-H say the winners and finalists of the AIxCC have developed a level of cyber reasoning that's now ready to tip the scales in favor of defenders – and hopefully make ransomware a thing of the past.

Broad access to artificial intelligence has quickly evolved a new arms race in which healthcare security teams should implement AI from the ground up in their platforms and processes – and hold vendors' "feet to the fire" – to keep up with threats.

Third-party security vendor risk mitigation is another imperative as health systems rely on more and more technologies, says Barry Mathis of healthcare management consulting firm PYA.

The payoff behind artificial intelligence, the expertise of virtual CISOs and the tactics of successful device management – Peyman Zand, chief strategy officer at healthcare consulting firm CereCore, spells out the benefits and the challenges.

Financially constrained hospitals and health systems need federal funding and support to augment their cybersecurity workforces, according to a Health Sector Coordinating Council report to HHS.

Securing a patchwork of IT systems can be a tall order for small facilities, but collaboration and info sharing is helpful, says one chief security officer.

Improving cybersecurity despite resource challenges requires small healthcare providers to pull many support levers. "We need to move away from the idea that each rural hospital is solving these issues alone," says one infosec leader.

A privacy and security expert discusses how small and rural hospitals can move beyond past IT mistakes and implement zero-trust strategies that quickly improve their cybersecurity postures.

More tech companies, and the government, are needed to address rural healthcare cyberattacks, according to the new Microsoft rural hospital cybersecurity landscape report. 

Tech CISO Scott Mattila discusses proactive measures critical to reducing cyber-risks and describes the steps hospitals and health systems can take to prepare now to comply with crucial mandates. He also highlights the new rule's impact of direct liability on business associates.

Automation and emerging technologies may accelerate efficiencies but can also add to IT burdens. Careful planning, testing and frameworks are a must to avoid creating new security problems, say panelists at HIMSS25.

Now is the time to get involved with the Healthcare and Public Health Sector Coordinating Council's strategic plan to upgrade cybersecurity from critical to stable condition, says Chris Tyberg, HSCC executive committee chair.

Robert Connely of Pega says patching legacy systems will give way to true health IT modernization, a security breakthrough will lead artificial intelligence into routine use – and AI will make value-based care the industry standard.

Even as the number of impacted individuals has been again revised upward, industry leaders say there are silver-lining lessons to learn from the incident about security frameworks, third-party risk and basic cyber hygiene.

The agency seeks to make its first HIPAA Security Rule update since 2013 to clarify what health plans, healthcare clearinghouses, providers and their business associates must do to protect the security of electronic protected health information.

Scott Alldridge, author of "VisibleOps Cybersecurity: Enhancing Your Cybersecurity Posture with Practical Guidance," discusses Zero Trust and micro-segmentation, leadership’s role, proactive threat management, and more.

A cybersecurity CEO offers advice on tactics healthcare CISOs and CIOs should use to protect sensitive telehealth data, and how providers can adopt a proactive security stance specific to virtual care.

How is artificial intelligence being used to identify anomalies in sensitive healthcare data to safeguard patient information? What are best practices for enhancing cybersecurity through AI and ML? An expert answers those questions and others.

Himaja Motheram, a security researcher, walks CISOs and other security leaders through the various weaknesses in healthcare and offers solutions to protect organizations and their data.

A week of discussion spearheaded by the patient advocate group aims to highlight the risks of harm from unauthorized access to healthcare information over the internet. There should be "no aggregation without representation," its leaders say.

Understanding the threat environment, knowing where controls are deployed and other core competencies become that much more critical when artificial intelligence is involved, says the CISO of Mass General Brigham.

David Heaney, chief information security officer at Mass General Brigham, explains how genAI can help his team learn and protect. He also discusses best practices for securing data with – and against – AI.

The Homeland Security agency points to 13 vulnerabilities with the networked medical imaging and archiving systems that should be patched now. One dark web research firm says the U.S. and Brazil have the most internet-exposed PACs.

At the upcoming HIMSS AI in Healthcare Forum, Chief Information and Digital Officer Sunil Dadlani will speak to other C-suite leaders about bridging the gap between artificial intelligence-enabled security and cyber defense.

While the healthcare group "strongly supports" CIRCIA's security goals, it's urging the Homeland Security agency to "consider the challenges covered entities face during and immediately after experiencing a cyberattack."

The AHA and National Rural Health Association are also onboard for the initiative, which will offer grants, free endpoint security advice and other resources for critical access and emergency hospitals.

To improve healthcare cybersecurity, an organization can shore up Internet-enabled device misconfigurations by starting with CIS Benchmarks, before moving on to industry-specific standards, Fortra’s Tyler Reguly said.

The agency says threat actors are targeting organizations' IT help desks with phone calls from a local area code claiming to be revenue cycle or administrator employees. After gaining access, they divert legitimate payments.

Poorly controlled cloud environments, growing access to systems, heightened regulatory scrutiny and significant deals activity will require healthcare CISOs, CIOs and other security leaders to bolster the defenses.

Darren Lacey discusses the key foundational technologies underlying healthcare's IT infrastructure, and how innovative approaches to open-source tooling and memory safe languages can help improve health systems' cybersecurity posture.

In healthcare, larger hospitals, all critical access hospitals, essential drug manufacturers and Class II and Class III devices would fall under the draft mandatory reporting rules, but health IT developers and others would not.

Also: Availity clarifies reports that it has cut ties with the clearinghouse and says it "fully expects" to reconnect to Change Healthcare.

Texting of patient orders among members by healthcare teams is now permissible at hospitals and critical access hospitals when done through a HIPAA-compliant secure platform in compliance with CMS Conditions of Participation rules, the agency says.

The nonprofit group's Interoperable Secure Cloud Fax Consensus Body aims to add cross-platform identity assurance, standards-based metadata exchange and new federated security standards to facsimile exchange.

The Sunshine State's proposed law would shield governments and businesses against liability claims that result from a data breach that occurs during a cyberattack.

Ahead of new enforceable standards, U.S. Health and Human Services has released voluntary cybersecurity performance goals to address the most significant cyberattack vectors hospitals and healthcare providers face.

The HHS 405(d) program has new resources to help small to large healthcare organizations navigate what's important when implementing cyber insurance.

The DOJ announced that the FBI also has decryptor keys for Blackcat ransomware victims and will "prioritize disruptions" as it works to "dismantle the ecosystem fueling cybercrime."

The National Institute of Standards and Technology created guidance for evaluating differential privacy algorithms that could allow data to be publicly released without revealing the individuals within the dataset.

"The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime," says Rick Pollack, president and CEO of the American Hospital Association.

Some healthcare organizations use homegrown tracking technologies to avoid third-party disclosures of protected information, but all have to understand if their practices comply with applicable privacy laws, says Betsy Hodge, partner at Akerman.

"When we see a vulnerability or intrusion campaign that could have been reasonably avoided if the software manufacturer had aligned to secure by design principles, we’ll call it out," writes CISA cybersecurity leaders Eric Goldstein and Bob Lord.

In a complaint filed in federal court in Texas, the hospital group says enforcement of the Office for Civil Rights' regs on pixel tracking tools would disrupt the "balance that HIPAA and its regulations strike between privacy and information-sharing."

The Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services released the Cybersecurity Toolkit for Healthcare and Public Health after a discussion on cybersecurity challenges the U.S. healthcare and public health sector system faces and how government and industry can work together to close the gaps in resources and cyber capabilities. WHY IT MATTERS Because adversaries see healthcare and public health organizations as high-value, "cyber poor" targets, CISA is working with HHS and the healthcare sector to secure health organizations, explained CISA Deputy Director Nitin Natarajan in Wednesday's announcement, especially our under-resourced hospitals and health centers. "Given that healthcare organizations have a combination of personally identifiable information, financial information, health records and countless medical devices, they are essentially a one-stop shop for an adversary," he said in a statement. The new tool kit contains remedies for healthcare organizations of all sizes and addresses cyber hygiene, tools to build strong cybersecurity foundations, and resources to strengthen defenses and stay ahead of constantly evolving threats.  "The toolkit is designed for healthcare and public health organizations at every level of capability," HHS said in a statement Thursday. The tool kit links to the Healthcare and Public Health Sector Coordinating Council resources for managing risks, improving security, and implementing and executing mature cybersecurity and response measures, such as HSCC's Health Industry Cybersecurity Practice. HICP serves as the industry's response to the Cybersecurity Act of 2015 Section 405(d)'s requirement. The new tool kit also connects users to the HPH Sector Cybersecurity Framework Implementation Guide by HHS and CISA's vulnerability scanning services, which evaluate external network presence by executing continuous scans of public, static IPv4s for accessible services and vulnerabilities.  The site also consolidates various cybersecurity alerts applicable to the healthcare sector, information about free cybersecurity services and tools, security training and tools, reporting portals, and more. THE LARGER TREND In August, CISA outlined its efforts to address immediate cybersecurity threats and harden systems against attack with greater accountability in its FY 2024-2026 strategic plan. "We know we cannot achieve lasting security without close, persistent collaboration among government, industry, security researchers, the international community and others," CISA said in a statement when the plan was made public. Under the National Cyber Incident Response Plan, CISA must also increase the number of participating organizations and the number of cyber defense plans for high-priority risks identified, the agency said. Greg Garcia, executive director of HSCC Cybersecurity Work Group, has said that improving cyber preparedness is a collective responsibility. "None of us individually is as smart as all of us collectively," he said in December at a HIMSS Cybersecurity Forum.  ON THE RECORD "We are also focused on efforts to secure our world by educating the people, companies, and agencies how they can better secure themselves with cybersecurity," Natarajan said in a statement. "CISA conducted pre-ransomware notifications to over 65 U.S. healthcare organizations to stop ransomware encryption and warn entities of early-stage ransomware activity," he noted. "We have seen a significant rise in the number and severity of cyber attacks against hospitals and health systems in the last few years," added HHS Deputy Secretary Andrea Palm. "The more they happen, and the longer they last, the more expensive and dangerous they become," she said. Andrea Fox is senior editor of Healthcare IT News. Email: afox@himss.org Healthcare IT News is a HIMSS Media publication.