Cyberattacks and data breaches have hit healthcare hard in 2024, and the industry is preparing for another busy year of cybersecurity and healthcare privacy activities.
THE 10 biggest data breaches reported to the HHS Office for Civil Rights (OCR) in 2024 affected 137 million people in total, and the total number of violations for the year will exceed 168 million. Nine of the top 10 breaches were attributed to a hack or cyber incident, illustrating the ongoing effects of cyberattacks on the industry.
Looking ahead to 2025, healthcare will likely remain a target for cyberattacks and data breaches. However, experts predict that the industry’s response and preparation for these incidents will change, whether through everyday defense tactics or legislative actions.
Healthcare sector will focus more on cyber resilience and hygiene
Cyber resilience remains a key focus area for healthcare organizations heading into the new year, as cyberattacks continue to disrupt operations and supply chains.
“In 2025, healthcare cybersecurity resilience will continue to evolve from a reactive to a proactive spectrum,” said Ty Greenhalgh, healthcare industry director at Claroty.
Greenhalgh predicts that ransomware will remain the primary method of cyberattack in 2025, forcing healthcare organizations to resort to defensive strategies to make hackers’ jobs more difficult.
“Healthcare organizations must build resilience into their cybersecurity strategies if they are to survive, focusing on anticipating stresses and taking proactive measures before incidents occur,” Greenhalgh added. “This change not only minimizes the impact of potential threats, but also ensures faster recovery and continuity of operations, protecting patient care and organizational assets. »
In 2023, HHS and the Health Sector Coordinating Council released a comprehensive report landscape analysis which explored the state of cybersecurity resilience in US hospitals. The landscape analysis revealed significant gaps in hospital cyber resilience, including underutilization of multi-factor authentication (M.F.A.) and significant supply chain risks.
In February 2024, the Change Healthcare cyberattack disrupted healthcare operations across the country, further highlighting the importance of fundamental security controls and cyber resilience. The cyberattack was successful because the cyberthreat actors used compromised credentials to remotely access a Citrix Change Healthcare portal which was not protected by the AMF.
For Mason Clutter, data security partner at Frost Brown Todd and former chief privacy officer at the U.S. Department of Homeland Security, 2025 will be a year about fundamental security measures.
“What’s old is new again in 2025. Personal health information is incredibly sensitive, private, and ultimately valuable information,” Clutter said. “The lessons of the past will come to fruition in 2025: cyber hygiene is essential, both on the provider side and on the patient side.”
Continually monitoring cyber threats and implementing appropriate protective measures and basic cyber hygiene will go a long way in protecting healthcare systems in 2025 and beyond.
AI will continue to present new threats and opportunities
Like the role of AI in healthcare evolves, security and privacy are crucial. Cyberthreat actors and defenders have learned to use AI to their advantage and this will probably continue in 2025.
“The use of AI by cybercriminals will increase significantly in 2025, creating more sophisticated and targeted attacks against healthcare organizations,” said Brian McGinnis, partner at Barnes & Thornburg and co-chair of the Cyber Security Practice Group. data and firm confidentiality. “The increased use of generative AI tools will allow threat actors to design attacks such as highly personalized phishing campaigns and develop standalone malware that can bypass traditional security measures.”
Cyber threat actors can use AI tools to create more convincing phishing emails and increase the speed and volume of their attacks.
To mitigate risks, McGinnis recommended healthcare organizations implement their own AI-based cybersecurity tools to enable constant monitoring of cyber threats and improve their employee training programs to help them recognize threats of AI.
“Collaboration and information sharing with regulators and industry peers will also be critical to staying ahead of adversaries who are increasingly exploiting AI for malicious purposes,” McGinnis added.
Shannon Hartsfield, partner at Holland & Knight, says AI remains a driver of innovation in healthcare, but privacy risks cannot be ignored.
“AI tool developers will increasingly need data to train large language models, but regulators are concerned about the use of personal data in this way,” Hartsfield said. “Additionally, HIPAA imposes restrictions that could hinder such uses.”
As healthcare IT professionals grapple with security and privacy implications of AI2025 will certainly bring a new set of challenges and opportunities for innovation.
Privacy and security legislation will expand to state and federal levels
In addition to focusing on cyber resilience and continued advances in AI, lawmakers will likely continue to propose additional privacy and security laws at the state and federal levels.
For example, the HIPAA Security Rule Should Be Updated by late 2024 or early 2025. HHS submitted a draft to the U.S. Office of Management and Budget in October 2024, which is currently under review.
“The HIPAA Security Rule was finalized more than two decades ago, and security capabilities and threats have changed tremendously,” Hartsfield said. “The security rule is flexible and scalable, but it would be helpful to have more guidance tailored to current technology.”
Additionally, experts predict that the industry will continue to see states pass their own privacy legislation.
“In 2025, more states are likely to pass laws like Washington’s My Health My Data Act, protecting consumer health data that falls outside of HIPAA regulations,” said Tara Cho, president of the Womble Bond Dickinson’s privacy and cybersecurity team.
Washington State My Health My Data Lawpassed in 2023, provides consumers with additional privacy protections by allowing them to withdraw consent and request deletion of data.
Washington is not the only state to have taken action.
“Since the California Consumer Privacy Act took effect in 2020, 20 U.S. states have passed comprehensive privacy laws, and this trend shows no signs of slowing,” McGinnis said.
By the end of 2025, eight more states will have new privacy measures in place providing additional protections for various types of personal data, McGinnis noted. Like the patchwork of state and federal privacy laws becomes more complex, entities that process health data will need to understand the interaction between HIPAA and these state laws, if any, and comply accordingly.
Looking ahead to 2025, healthcare organizations and other entities that process health data can expect another year of adapting to the evolving cyber threat landscape, monitoring the implications of AI for security and preparing for upcoming security and privacy legislation.
Jill McKeon has been covering cybersecurity and healthcare privacy news since 2021.
