Why is healthcare so bad at cybersecurity?

Thank you to Vanta for sponsoring this edition of Second Opinion. Vanta helps businesses of all sizes establish trust by automating compliance needs across 35+ frameworks like HIPAA, HITRUST, and SOC 2; centralize security workflows; complete questionnaires up to 5x times faster; and proactively manage vendor risk. Join over 9,000 global companies — including healthcare companies Modern Health, Healthie, and NYU Langone Health — that use Vanta to manage risk and prove security in real-time.

Cyber attacks targeted at the largest healthcare companies—whether it be payers, health systems, or payment processors, are happening at a rapid clip. The effects have been dire for our industry, particularly in the past few years. Health systems continue to pay huge sums—sometimes millions of dollars, often in crypto—to hackers because they cannot withstand ransomware attacks. The toll on patients is not well understood yet, but there have been reported incidents of avoidable fatalities, like ambulances diverted from hospitals or important missed health tests. 

If you read the news in 2024, you can’t have missed the most prominent hack of the year—targeted at payment processing behemoth Change Healthcare. This hack alone compromised the protected health information of 100 million people, or around one-third of all Americans.

Despite this ever-growing toll, healthcare organizations do not seem equipped to defend themselves in 2025. So the question I’ve pondered in the past few months: What would it take to enact real change? To prepare these organizations to fend off more threats, particularly given the growing evidence that nation-states and cybercriminals are now coordinating activity? Are there opportunities to invest in the most robust cybersecurity tools custom-built for health care? Or is this an unsolvable problem in the near term?

In a sense—and I’d be curious for all your thoughts on this—the state of security in healthcare reminds me of the pandemic preparedness problem. In the aftermath of a massive emergency, we talk about it for a while, and there’s a moment of funding and accountability. But it invariably dies down, and we find ourselves ill-equipped to deal with the next incident. 

Reason 1: lack of defenses

Let’s start with the basics. Why is the healthcare industry (and providers, in particular) a frequent target for hackers? Well, according to the dozen or so cybersecurity experts I spoke with while researching this issue, the answer is multifactorial but can be boiled down to two basic reasons.  

Healthcare is attractive for cybersecurity attacks because it lacks the most basic protections. Between the complexities of managing Windows-based environments and poor patch management of IT admin tools, cybersecurity expert Ryan Stellar described a lot of healthcare organizations as “soft targets.” In some cases, these attacks may not be all that sophisticated or coordinated. Much of that is down to the old school software that’s still in place. “Many (organizations) rely on outdated legacy systems that were not designed with modern security threats in mind,” said Kelli Burns, Chief Information Security Officer at Accolade. “These systems are difficult to upgrade due to interoperability requirements and the risk of disrupting critical services.” One example of that is the WannaCry attack, which targeted the U.K.’s National Health Service (NHS) back in 2017, and took advantage of the fact that some of its Windows operating systems had not been updated in more than 15 years (this problem is far from unique to the U.S.).

In other words, healthcare organizations are sitting ducks with a willingness to pay the ransom, so that’s reason enough to go after them. As it often goes, hackers “find clinicians or administrators with breached identities, conduct phishing attacks to confirm credentials, and then strike,” he told me.

A major reason this problem is so hard to solve is organizational culture. Tim Blair noted that most people who work at health systems aren’t seasoned IT professionals. Blair works at Vanta, a company that helps healthcare entities scale their cybersecurity efforts. So, staying compliant with best practices, like preventing shared credentials or changing passwords, may not come naturally to them. It’s not mission-critical on any given day relative to keeping a critically ill patient alive. 

There have also been more sophisticated and coordinated attacks. The Change Healthcare hack was conducted by AlpHV/Black Cat, a group with a long history of ransomware campaigns. But even in that case, compliance may have been at the root of the problem. Per reports, the vulnerability on the Change side involved a failure to add two-factor authentication to its Citrix portal (enterprises use Citrix to provide access to remote employees).

UnitedHealth Group CEO Andrew Witty said that Change Healthcare—acquired in 2022 —was still being integrated into the parent company. He acknowledged it was an older company with older technologies, making it an easier target for hackers — a problem far from unique to Change Healthcare.

Reason 2: it’s lucrative

The juice is usually worth the squeeze for hackers targeting the medical industry. Hackers can typically extract payments from healthcare entities, which is why it continues to be such an appealing target. For providers, it’s obvious why the pressure is on to pay up: vulnerable patients’ lives are at stake; it’s a public relations nightmare given the sensitivity of the health data, and in some cases, it causes serious cash flow issues to provider groups. 

These organizers—because, in many cases, care is at the core of what they do—are fearful of these kinds of ransomware attacks and are, therefore, likely to pay. Sometimes, it’s a few hundred thousand dollars, so it seems like a small price for resuming normal operations. But in the long term, it’s a major reason why ransomware attacks continue. 

There’s also another factor at play: The inherent value associated with health data. Credit card numbers are worthless to know within five years or so, noted “hacktivist” and author Fred Trotter. However, health data, particularly DNA, can increase in value over time (consumer genetics company 23andMe has been the victim of several cybersecurity incidents). According to Vanta’s Blair, who works in governance, risk, and compliance, health systems in particular, are a gold mine of sensitive data including, but not limited to, “standard personally identifiable demographic information (name, address, birthday, etc.) and private patient data including medical records, diagnoses, treatments, and test results.”

For that reason, patient health information sells for a premium on the Dark Web—the scariest part of the Internet (if we ever sit down over a hot beverage someday, ask me about the time a White Hat hacker gave me a tour of the Dark Web in my prior journalism career. It haunted my dreams for weeks.) 

So that brings me to the most important point: Healthcare companies, with a few exceptions, haven’t invested in cybersecurity tools to protect themselves. Does that present an opportunity for companies to emerge in this space? Or is it a state of affairs that experts believe is unlikely to change, given competing priorities, a lack of government enforcement, and limited IT budgets? 

Growing sophistication

One of the biggest concerns that I heard from the experts I spoke to is that these attacks have become less opportunistic, and more coordinated. Per Burns from Accolade:

“Most attacks on health care organizations tend to be opportunistic, driven by the assumption that these organizations are likely to pay ransomware due to the critical nature of their operations. Attackers often exploit widely known vulnerabilities, such as unpatched systems or weak credentials, casting a wide net to see where they can gain access. However, there is a growing trend toward more sophisticated, targeted attacks. These involve advanced reconnaissance and exploitation, with cybercriminals tailoring their tactics to maximize leverage, knowing the high stakes involved in health care. Examples include ransomware-as-a-service (RaaS), supply chain attacks that target third-party vendors, and even nation-state threats aimed at stealing research data or intellectual property related to treatments and vaccines.”

What that means is that we could see more sophisticated operations moving into 2025, making cybersecurity even more of a priority amongst the various state and federal agencies. It’s increasingly likely, per recent reports from groups like the AHA, that we’ll see specific, targeted attacks on medical devices or other treatments, and not just PCs, servers, databases and medical records. One of the biggest anxieties that keeps cybersecurity professionals up at night is a targeted attack of an individual with an insulin pump or pacemaker.

Where we go from here

Trotter doesn’t believe health care is much worse than most other industries. However, he stresses that these kinds of breaches are felt more often. The damage is much deeper and longer-lasting, and companies can’t just apologize to customers, give them a voucher or credit, and move on. So, we assume that health care is far worse than any other sector because of it. 

That said, Trotter believes hospitals can be particularly weak with protections, particularly those in under-resourced and rural settings. Those provider groups may have limited budgets, and IT is rarely at the top of the list, particularly given what they’ve already spent on an electronic medical record system. There’s also very little accountability if hospital executives fail to take basic measures to protect the system, and there are rarely serious consequences. Trotter doesn’t think anything will change until it becomes a priority and the governing bodies (healthcare cybersecurity touches OCR, FDA, FTC, and so on) develop some teeth. Whether that happens under a Trump Administration is hard to predict. 

So, does that mean more enforcement? More regulation? 

The answer is less obvious than it might seem. 

On the one hand, yes, more attention and spotlight on cybersecurity. On the other hand, things in the tech world are moving quickly. Just look at the evolution of AI in the past few years. Whether or not regulation can keep up with this rapidly developing landscape is a major, ongoing topic of discussion. 

Here’s one example: I have been paying close attention to medical device security regulations. This is a big deal. Imagine a hacker targeting someone wearing a pacemaker and remotely altering the settings. Terrifying! Since 2023, the FDA has published its guidance, and there’s been a lot of speculation about whether it’s having an impact or too soon to tell. One of the best-written pieces on this topic indicates that the impact may be limited. Cybersecurity attacks are rising, and medical devices are increasingly an entry point because key vulnerabilities remain. Medical devices are also still one of the least secure, relative to pharma companies and health plans, per a report from the company SecurityScorecard. 

There’s also the problem of human error. This brilliant article analyzing the Change hack argues that hospital CEOs should invest in safeguarding their organizations from cybersecurity threats. However, they shouldn’t be held responsible for the thousands of employees' choices that put their organizations at risk. 

That said, there are undoubtedly opportunities for public and private sector partnerships in this space (it’s worth reading this piece from Jill McKeon predicting more attention on this issue going into 2025). Moreover, all the experts I spoke to had a bucket list of ideas for where they saw opportunities emerging in everything from secure identity provider services to medical device-specific cybersecurity tools. There have been some success stories across the ecosystem, including from newcomers to generalist tech vendors that sell into every industry, like Cisco, Crowdstrike, and Palo Alto Networks. 

And some of the solutions may be simpler than they seem, such as employee training to ensure that devices and users are continually authenticated and authorized. That would at least reduce the risk of vulnerabilities caused by human error, said Burns from Accolade.

Tech aside, humans will also need to be on board with the plan. Cultures can change, but only with buy-in from employees and teams that it’s the right thing to do. I’m not hopeful that in 2025, we see significant change. But with every big hack, there’s a moment for leaders to take the initiative and instill a culture that involves putting patient safety first. A girl can dream! 

Alright, that’s it for cybersecurity. Drop me a line if you have seen anything cool and innovative in this space! I’m intrigued to see more of what’s out there. And thanks again to Vanta for sponsoring.

A quick note on Accolade and Transcarent

So by now you may have seen the news that Transcarent is buying Accolade, which I’ve been texting my entire network about for hot takes. The smartest perspective I’ve heard so far is from my friend Dr. Jon Slotkin, the chief medical officer for Contigo and a fellow GP at Scrub Capital. In his view, it’s that employers need to get “upstream” to step in with more affordable, preventative treatments well before that expensive surgery or biologic treatment. For Transcarent, it’s a way to acquire more lives, incorporate AI, and broaden the TAM, and potentially even develop a full health plan competitor. Others view Accolade’s decision to sell as inevitable, given the loss of its marquee customer - Comcast - back in 2022.

It’ll be fascinating to see what happens with the Glen Tullman effect!