In recent years, hospital vulnerabilities have dominated headlines and board-level discussions, articulating harsh revelations on cybersecurity and privacy vulnerabilities in clinical settings. Ransomware attacks against hospitals are becoming a daily threat, locking patient records, damaging care services, causing millions of dollars in facilities and causing physical harm and death to patients. However, these events and goals are just the tip of the iceberg.
Below the surface of these headlines is a vast healthcare ecosystem – medical device manufacturers, pharmaceutical companies, insurance companies, mobile health applications, etc. – whose interconnected weaknesses can create huge attack surfaces. Data, such as flowing through this cold ocean, is exposed to every depth and is vulnerable to hackers.
Beyond Hospitals: Risk Ecosystem Participants
A lot has been written about this, but it is worth highlighting: While hospitals may be the most obvious target, deeper layers of the ecosystem are equally dangerous. For example, medical device manufacturers produce equipment such as pacemakers, infusion pumps and MRI machines that are increasingly connected to hospital networks. While revolutionary patient care, these devices often run with outdated software, lack basic encryption, and have no access to monitoring capabilities. A joint research project in 2023 identified 993 vulnerabilities in 966 medical products, marking a 59% year-on-year increase from 2022, but manufacturers have little regulatory pressure to prioritize safety over innovation. Hackers can use these devices as entry points to turn life-saving tools into backdoors for ransomware.
As another example, pharmaceutical companies have a large amount of sensitive data that may include clinical trial records, patient registration, sensitive health information and supply chain details. Their huge (usually global operations) relies on third-party suppliers and continues to expand their risks. An incident or violation in a pharmaceutical giant may not only expose sensitive data; it can disrupt the drug supply chain, delay treatment and increase artificial costs. Insurance companies and health technology companies manage claims and telemedicine platforms, increasing more exposure. Each player usually runs in a silo, prioritizing his own operations over collective security, leaving the ecosystem ruptured and vulnerable.
Merge: Double-edged Sword
Rapid mergers in the healthcare industry exacerbate these risks. Large McGellers among hospital systems, clinical research organizations, insurance companies and tech companies have created centralized data centers – incredible sources of data to facilitate the delivery of treatment and care, but also the main target of cybercriminals. A violation in complex entities, such as integrated healthcare organizations (as providers, payers, pharmacies and services to other healthcare entities), can reveal millions of records, far exceeding the impact on independent hospital attacks. Adopting a 2023 change to healthcare ransomware attack that affected about one-third of U.S. healthcare transactions due to its parent company’s dominance. The merger simplifies the delivery of care, but can also focus risks, turning localization issues into systemic disruption.
Centralization and consolidation can also cultivate complacency in compliance. Large organizations often assume the scale and ability to recruit high performers, equaling complexity, but huge networks (usually pieced together from legacy systems and acquisitions) can hide unresolved vulnerabilities. Smaller players continue to absorb larger entities, bringing their own unique practices and policies, adding pressure to existing cracks. The larger the entity, the more complex it is, the harder it is to review and evaluate every nook and crannion, making room for threat actors manipulation.
Where security and data protection are insufficient
In this ecosystem, we often see one or all of the following: (1) the organization does not have an effective incident/violation response plan; (2) the organization has difficulty measuring and responding to supplier and third-party risks; (3) the prevention method that is generally considered mature is a staggering step; and/or (4) the organization has difficulty identifying resources to support desktop and incident response exercises, which will be invaluable for managing inevitable attacks.
Furthermore, too many organizations still rely on reactive strategies – patching systems or after attacks to review or evaluate rather than proactively strengthening them. For example, when a medical device manufacturer can push updates only when a regulatory agency or litigation forces it, the risk will leave the hospital with unsafe equipment without the technical knowledge or expertise to make the appropriate update.
Third-party suppliers have exacerbated stress. From cloud storage providers to billing software companies, these frequently used players process all data types without considering how data appears or whether a particular type of data is different from other types. According to a 2024 report, the number of individuals involved in violations by business partners soared 287% from 2022 to 2023, although the responsibility for these incidents remains vague. Contracts rarely authorize specific, strict security controls, and supplier audits/evaluations are usually reactive or temporary. The understandable dependence of the healthcare ecosystem on outsourcing, while beneficial in many ways, creates a weak link network, each of which is a potential entry point for attacks.
As if we are not worried enough, human error adds a dangerous undercurrent and enhances the vulnerability. Organizations often cannot provide employees with adequate and appropriate training to help them recognize phishing baits, which are the baits that lure most ransomware attacks. Executives of technicians who click on malicious links or reuse weak passwords can open a cyberattack that turns a thoughtless mistake into a tidal violation. Multifactor authentication (MFA) is often considered a solid reinforcement for such threats, but is still unused and unenforced, often with cost, complexity and employee frustration. Without strong education or basic defense capabilities like MFA, we, humans, will create substantial cracks in the iceberg, resulting in larger cracks that technology alone cannot completely compensate.
Solution: Review the ecosystem
To stop the melting of the crawl, healthcare must develop new routes through its cybersecurity and data protection icebergs and seal the cracks before they can be further split. Inadequate patches of restoration; ecosystems require collective estimation at all levels: accountability, law enforcement, funding, technology, expertise and collaboration all play a role.
Comprehensive audits, compliance assessments and incident response exercises are crucial – not only the hospital, but every player with touch-sensitive data. Regulators propose annual compliance assessments and periodic patch management and require them to disclose vulnerabilities and timetables for fixes. Entities not covered by HIPAA or other federal rules shall proactively exercise appropriate control, including audits and assessments to their partners and suppliers.
In other words: the industry needs a cultural shift to proactive security and data protection. Organizations should not embed these measures in their DNA, rather than treating policies and controls as compliance check boxes. This is not easy to occur; it means investing in real-time threat monitoring, not just post-breakthrough forensics, and means rethinking the merger – perhaps incentivizing smaller, decentralized networks to limit the explosion radius of attacks. Multi-party protocols to leverage blockchains or zero-value architectures can ensure data flow and minimize data manipulation risks among players, ensuring that there is no single point of failure that can destroy the system.
Finally, collaboration is key. We often see silos in one organization, not to mention the entire ecosystem. In particular, compliance leaders – CISOs, compliance personnel, privacy officers, laws, risk management – must cooperate to share intelligence about threats and best practices and communicate appropriately with leaders and boards. Remember: Threat actors do not discriminate against the office; nor should our defenses.
Call for action
The spotlight of hospital vulnerabilities reveals the truth we can’t ignore: cybersecurity and data protection in healthcare are only as strong as the weakest cracks. Medical device manufacturers, pharmaceutical companies, health IT, privacy, research organizations and merged systems all play a role in vulnerability, with their shortcomings that can decay outwardly, endangering patient data and trust. We must take an approach that considers and respects the ecosystem, which includes reviewing and evaluating our own organizations and our partners and suppliers, proactive measures across services, and fostering collaboration. We can help resolve the cracks before the next hit. Bets – privacy, care and life – will never be higher.
Image: Features, Getty Images
This article passed Mixed Influencer program. Anyone can post a view on MedCity News' healthcare business and innovation through MedCity Remacence. Click here to learn how.
