2024 was a difficult year for healthcare cybersecurity, but there are some hopeful signs heading into 2025, with effective controls and new rules coming. According to the healthcare cybersecurity trends of 2024, healthcare cyber defenses came under attack like never before, with headline-grabbing ransomware and other cyberattacks endangering patient safety and privacy alike.
Change Healthcare, Ascension and NHS London were some of the biggest victims in 2024, but hundreds of smaller healthcare organizations suffered too, and there were likely additional attacks that were never confirmed.
Governments and private organizations alike struggled to find solutions, and while there was some progress to cheer, the data on healthcare cybersecurity continues to paint a challenging picture for the critical sector.
We’ll look at the year in healthcare cybersecurity – including some good news – and what may be in store for 2025.
Ransomware Attacks on Hospitals in 2024: A Global Trend
A little more than four years ago, ransomware groups pledged that they wouldn’t attack healthcare infrastructure during the COVID-19 pandemic.
How times have changed. 2024 saw an increase both in the number and severity of healthcare ransomware attacks, with some attacks limiting patient care for weeks and resulting in huge cleanup costs.
Here are some of the year’s biggest healthcare cyberattacks.
Change Healthcare set the tone for the year in February, with a ransomware attack that resulted in the theft of the insurance and healthcare records of more than 100 million Americans. The breach, attributed to lack of multifactor authentication (MFA) on a legacy server, may eventually cost parent company UnitedHealth Group nearly $3 billion and pushed cybersecurity onto the pages of the prestigious Journal of the American Medical Association (JAMA). Change Healthcare made at least one ransom payment after the attack, which didn’t prevent the data from being leaked while simultaneously increasing the attractiveness of the healthcare sector as a target for cybercriminals.
Also in February, the Cencora data breach affected more than a dozen pharmaceutical companies, including Johnson and Johnson.
Ascension Healthcare was another major target, hit by a ransomware attack in May that led to chaos and disruption at some of the 140 hospitals the company oversees. The breach demonstrated how dangerous ransomware attacks on hospitals in 2024 can be, as it reportedly led to lapses in patient care.
In June, NHS London hospitals became a case study in how healthcare systems may be ill-prepared to carry out backup processes that a ransomware attack can impose, as an attack on lab services provider Synnovis resulted in a 96% drop in blood tests.
Plenty of smaller healthcare cyberattacks were just as disruptive to the communities they serve. One of the most alarming incidents was a ransomware attack that caused patients to be diverted from the University Medical Center (UMC) Health System in Lubbock, Texas – the only Level 1 trauma center within 400 miles.
Other healthcare cyberattacks that posed dire threats for patient care or privacy included the non-profit blood center OneBlood, Boston Children’s Health Physicians, and Planned Parenthood.
U.S. Leads in Healthcare Ransomware Attacks
The U.S. remains the biggest target for cyberattacks in general, and healthcare is no exception. Of 339 healthcare ransomware attacks recorded by Cyble threat intelligence researchers as of early December, 251 hit U.S. organizations.
Globally, ransomware attacks on healthcare organizations were up 27% in the first 11 months of 2024 compared to the same period of 2023. An additional 62 attacks targeting the pharmaceutical and biotech sector have pushed the total number of global healthcare-related ransomware attacks above 400 with a few weeks left in the year.
Or put another way, healthcare ransomware attacks have occurred at a rate of more than one a day in 2024.
Ransomware attacks on U.S. healthcare organizations have been up 36% this year, but one of the overlooked aspects of these attacks are the medical device security challenges that make the healthcare sector an even more attractive target for cybercriminals.
But the big “winner,” if you will, has been the UK, which saw just two healthcare ransomware attacks in 2023 and has already been hit 16 times this year, an increase of 700%.
Canada, Germany and Australia round out the top five (image below).
LockBit was the top ransomware group hitting the healthcare sector in 2024, but the group’s activity has declined amid enforcement actions, and RansomHub may take over the top spot by year’s end. INC, BianLian and Everest round out the top five (image below).
Overall, healthcare was the third most-frequently targeted sector by ransomware groups of more than 20 sectors tracked by Cyble, with professional services and construction the only sectors experiencing more ransomware attacks.
Healthcare Cybersecurity Breaches on the Dark Web
Another data point showing a dramatic increase in healthcare cybersecurity incidents can be found in the data and credentials for sale on the dark web.
Cyble researchers have documented 181 credible healthcare claims by threat actors and cybercriminals on the dark web, and an additional 36 targeting pharmaceutical and biotech organizations.
That’s already more than 50% higher than the 140 dark web claims documented by Cyble across both sectors in all of 2023.
Healthcare data is particularly valuable for cybercriminals because there is no personally identifiable information (PII) that reveals more than healthcare data, which can include a patient’s medical conditions and diagnoses in addition to other identifying factors.
As healthcare organizations increasingly rely on cloud infrastructure, cloud security in healthcare IT has become an essential focus for securing sensitive data and preventing breaches on these platforms. Dark web monitoring becomes especially important in this context, as cloud environments can be a prime target for cybercriminals seeking to exploit vulnerabilities.
Dark web monitoring is an important practice for healthcare firms to adopt, as they can detect data leaks faster, and – equally important – also detect when credentials like usernames and passwords leak onto the dark web, which is the most common initial attack vector in breaches, according to IBM-Ponemon.
Good News: Cost of a Healthcare Data Breach Drops
One bit of good news is the annual IBM-Ponemon Cost of a Data Breach report found that the average cost of a healthcare data breach dropped by more than $1 million this year, from $10.93 million to $9.77 million per incident. However, that’s still double the average cost of a data breach, and 60% higher than the second-place financial services sector, as healthcare’s unique cybersecurity and data protection challenges make incident response and cleanup extremely difficult.
The good news in that data is that healthcare cybersecurity may actually be improving. The report also found that AI and automation technologies in particular had a pronounced benefit, with the most sophisticated users across all sectors saving an average of $2.2 million per breach.
Other positive factors include initial detection by internal tools and teams (rather than hearing from third parties or attackers), and bringing in law enforcement in ransomware cases saved nearly $1 million per incident.
The security tools that most lowered the cost of breaches were:
- Employee training
- AI- and machine learning-driven insights
- SIEM systems
- Incident response planning
- Encryption
- Threat intelligence
Of those tools, encryption is a particularly relevant one for the healthcare industry, as 98% of medical IoT device traffic is unencrypted.
Medical IoT Devices: Healthcare’s Unique Achilles Heel
A recent Cyble report looked at the unique challenges of medical internet of things (IoT) devices, which is another factor contributing to the sector’s uniquely difficult cybersecurity challenges.
Among the issues plaguing internet of medical things (IoMT) devices are things like:
- Device Exposure: Over 50% of hospital IoT devices are vulnerable to attack.
- Unpatched Security Flaws in Infusion Pumps: 75% of infusion pumps have unpatched security flaws.
- Unsupported Operating Systems in Medical Imaging Systems: 83% of medical imaging systems run on unsupported operating systems.
- Unencrypted Network Traffic: 98% of IoMT device network traffic is unencrypted.
- Connected Device Breaches: 88% of healthcare organizations experienced at least one data breach in the past two years due to a vulnerability in a connected device.
CISA, the U.S. Cybersecurity and Infrastructure Security Agency, has issued 11 alerts so far this year warning about vulnerabilities in medical industrial control system (ICS) devices.
Users should patch or replace vulnerable devices whenever it’s possible to do so. And to the extent possible, medical devices should not be exposed to the internet and should be firewalled and segmented from other networks.
What Can Be Done to Improve Healthcare Cybersecurity?
In the U.S., the incoming administration of Donald J. Trump is expected to have an anti-regulatory bias, but healthcare cybersecurity may be one area of surprising agreement between Democrats and Republicans.
There have been a number of bipartisan bills introduced to improve healthcare cybersecurity, the most recently introduced just last month. That’s too late for action in the current Congress, but with the 119th Congress set to begin in January, it signals that healthcare cybersecurity may see some movement in the next Congress.
One promising approach to addressing healthcare cybersecurity challenges is the zero trust adoption in healthcare, which could drastically improve the sector’s defenses. Zero trust principles focus on the idea of never trusting, always verifying, and it can be particularly effective in environments where the network perimeter is no longer easily defined, as in healthcare.
Following a recent GAO report that documented a lack of progress by the Department of Health and Human Services (HHS) in ensuring the security of the healthcare sector – and with a soon-to-be-published HHS proposal that would add new cybersecurity requirements to the HIPAA Security Rule – there appears to be promising consensus around the need for better healthcare security standards in the U.S.
With initiatives also underway in the UK, NIS2 in the EU, the Australia Cyber Security Act, and other places, 2025 could become a turning point for the better for critical infrastructure security in general.
