Healthcare Continues to Be Top Target for Threat Actors, Expert Says

What insights can you provide about the current cybersecurity landscape in healthcare?

Healthcare continues to be a top target for threat actors, particularly given that hospitals and health systems are more likely to pay ransom given the critical nature of their operations. Electronic Protected Health Information (ePHI) continues to be the most valuable information on the dark web. The more we pay, the more it self-funds the bad actors to continue to go after it.

You're dealing with a mix of technology and constituents that have legacy technology. We're exchanging data at an increasing rate, and that creates more vulnerabilities that can be exploited.

It's a bit of a perfect storm with the environment that we're operating in: the rise in ransomware, and the challenges in healthcare, with a shortage of talent, staffing, and resources to combat the increasing threat. The threats keep getting greater, and the challenges to keep up are harder and harder for our clients.

Looking at the attacks this past year, what did they reveal about healthcare infrastructure?

There are very similar exploits that we've seen in prior years. It starts with gaining access through some sort of email or phishing campaign. Then, using that access to move laterally throughout organizations to deploy ransomware and hold that technology hostage to exploit the organization for payment.

It really comes down to people being consistent when it comes to weaknesses, vulnerabilities within the organization, where they don't have effective MFA and other controls in place to limit and segment their networks, to limit attackers from being able to expand within the organization. Not having proper backups and recovery plans forces them to have to pay the ransom to get back online, because they can't, in some cases, recover on their own. The best way to get back to providing patient care is to pay the ransom so you can get your systems back operational as quickly as possible.

You’re seeing attacks on behavioral healthcare companies as well, exploiting the critical nature of the sensitive data that exists there. It’s not that they're necessarily using that data to do something to harm the patient directly, but that data is so sensitive and important to the organization that they're likely to pay the ransom to recover quickly.

What are your thoughts on AI within cybersecurity?

It's definitely a double-edged sword. The bad actors are definitely using AI to more aggressively exploit vulnerabilities to deploy their ransomware and other attack campaigns. I think it just allows them to move faster and to find more ways to disrupt organizations. I think that's definitely causing the threats to go up.

I think there are a lot of opportunities to use AI in our defenses. And the question is: how quickly are we adapting to integrate AI into our defense mechanisms to offset the rise and threats? Unfortunately, given the nature of healthcare, it takes time to bring new technology and new use cases. That creates a gap that only creates more risk for the industry in the short term, until vendors and providers can really adapt AI in an effective way to combat those threats.

Do you have concerns about compliance and privacy with AI?

I think it's a great opportunity to strengthen compliance because it allows organizations to more effectively consolidate their policies, controls, and documentation of what they're doing to attest to various compliance standards and frameworks. There's a great opportunity to make the risk assessments and the different reporting requirements easier for providers to comply with. At the same time, it does create an increasing footprint that needs to be governed.

We need to think about AI as a new technological layer that needs to be managed, just like we did with the rise of EMRs and other applications.

Does the government have a role in governing AI within healthcare security?

I think on a high level, the government could play a role. Is the government adept enough at the change and advancement in technology to understand AI in a way that they could effectively put proper regulation in place to help, or is it going to impede innovation? Is it going to impede progress in the industry?

Like any regulation, it needs to be done in a collaborative fashion with the industry to make sure that everyone's on the same page in terms of the benefits and the challenges. How can we use regulation to manage it effectively, versus putting mandates out that then stymie some of the benefits of AI, because we're overly focused on the threats and the challenges that come with it?

What advice would you give to healthcare leaders to improve their cybersecurity practices?

You have to have a strong governance structure in place, no matter what you're doing, whether it's managing AI or just where your patient data resides and is being transmitted throughout your organization. It really starts with governance. We're very focused on helping organizations build a culture of cybersecurity. So, really thinking about how cybersecurity is set as a priority from the board level through the C-suite down through the organization. It's critical that you have executive-level engagement, and they're the ones making it a priority. If it's delegated down to other departments, you're just never going to have a strong enough program to combat the challenges we talked about earlier.

So, to me, it's governance, a culture of cybersecurity, a process for continuous risk management, where you're assessing the threats and vulnerabilities to the systems that have patient data. Then you're constantly looking for ways to improve and mitigate those risks, and testing whether the controls you're implementing are effective at mitigating them. So, ongoing risk analysis and risk management, and ultimately training your workforce and making sure they understand the criticality of cyber, that they're looking out for common threats and challenges. If you have a culture of cybersecurity, you're well-trained, and everybody's being diligent, you can have a fighting chance to avoid some of the pitfalls other organizations have found themselves in.

Looking ahead, what do you expect to happen regarding cybersecurity?

Unfortunately, we've been on a trend of increasing threats and an increasing number of patient records being exposed due to those threats. This year was a down year relative to last year, because in 2024, you had the Change Healthcare breach. But without that, you're still seeing a continuous quantity of patient records being exposed. I would love to see that trend turn around, but unfortunately, given the rise of AI and the increasing threats, it is probably going to continue.

I would say we need to be more diligent as an industry. You're also seeing more regulatory discussion around the changes to the HIPAA Security Rule, some strengthening around some minimum cybersecurity standards, and potentially some standards and practices that the industry might have to adopt. That's all obviously very much in flux, given where the government is today, but I think there is a role for government to play there. You're seeing new enforcement actions around substance use disorder and how we treat that data and manage that within the HIPAA regulations. There are more regulatory things that are evolving that are going to put pressure on the industry to respond. There's a lot that the organizations in 2026 are going to have to manage, particularly when you layer the AI discussion into the equation.

I think healthcare is an ecosystem of vendors and providers, and you have technology that connects everybody. We need to have a collaborative ecosystem where everybody has shared responsibility in this. So, it's not just the providers, and it's not just the vendors; it's everybody working together effectively towards combating the threats that we're all facing. That's a key piece of the puzzle.

We have to watch AI and see how it continues to unfold, both in terms of the threats and the ways we can use it to better equip ourselves in the industry to combat those threats. Having a good risk management framework is really important.