BLOG

by Morgan Hague 

2024 is poised to usher in new challenges and opportunities for healthcare professionals and security practitioners. Contending with the onset of an artificial intelligence boom, rapid interconnectivity, a tumultuous geopolitical outlook, and the shifting regulatory space, the healthcare sector finds itself once more at the crossroads of innovation and vulnerability.  

The stakes continue to rise as healthcare organizations navigate the delicate balance between providing accessible, quality patient care and safeguarding sensitive patient data from the persistent threat of cyber adversaries. 

Meditology supports hundreds of healthcare entities across the country, including providers, payers, and business associates. Leveraging that experience, we have compiled the top 10 healthcare cybersecurity predictions for 2024 along with relevant insights to help you map out a defensive strategy heading into the new year. 

Prediction 1 

Hospitals and the healthcare industry continue to be the leading segment targeted by attackers.  

Healthcare, as an industry, continues to be the prime target of cyber attackers. This predilection can be attributed to the wealth of sensitive patient data these organizations handle, including personal, medical, and financial information.  

Such data is valuable on the black market and also has long-term usability, making it highly desirable for cybercriminals. Moreover, the rapid digital transformation in the healthcare sector, driven by the ongoing adoption of telemedicine, electronic health records, and IoT medical devices has and will continue to expand the relevant attack surface.  

Unfortunately, cyber security measures within the industry often fail to keep pace with these technological advancements, leading to vulnerabilities that these attackers exploit.  

This is unfortunately an easy prediction to make – according to the HHS Office of Civil Rights (OCR), large breach occurrences grew 93% from 2018 to 2022 – with a 278% increase in those breaches attributed to ransomware. As market and geopolitical volatility continues to ramp up, this trend will absolutely continue. 

For more information on Healthcare breach statistics, see Verizon’s 2023 Data Breach Investigative Report.   

Prediction 2 

The race to design or deploy Artificial Intelligence (AI) reaches a fever pitch, preceding uncertainty and doubt among decision-makers on the nature of securing this domain. 

The healthcare industry's traditional security infrastructure is often ill-equipped to counter modern cyber threats – with the advent of Artificial Intelligence and Machine Learning’s continued ascension, the marketing, toolkits, and uncertainty around these technologies will continue to strain leaders and security programs at large.  

Consider the perpetual weaknesses of the Healthcare security domain; an industry which often relies on outdated systems and software, with known vulnerabilities that can be easily exploited by cybercriminals. Coupling this systemic issue with a widespread deficit of appropriate cyber security awareness and training, and AI has the capacity to trigger a significant leap in negative outcomes while spurring an uptick in fear, uncertainty, and doubt across the industry. 

These deficiencies are set to be compounded by the rapid adoption of AI – an industry expected to grow roughly 37% annually through 2023. Considering the meteoric rise of ChatGPT, which grew to 1 million users after just five days of public access, it’s easy to consider the implications of other public use AI platforms – particularly if they aren’t properly vetted or developed irresponsibly by over-eager personnel or executives.  

The combination of inadequate controls and training presents a significant concern for healthcare organizations. With AI use cases not yet clearly defined for most organizations, the ability to understand or anticipate the risks and benefits of artificial intelligence and machine learning will become a pain point for security leaders and functions at large. 

Therefore, it's imperative for the healthcare sector to prioritize intentional program design, accommodating for significant compensating, investing in modern security systems, and enhancing key activities such as development pipeline security and comprehensive staff training.  

Beyond enterprise stewardship, leading national agencies for the United States, Germany, and others recently issued guidelines which include security as a ‘core requirement’ during the AI development cycle. This fairly progressive stance from international leadership is likely to continue and hopefully curtail some of the mystery around the ‘new frontier’ of AI. 

Watch the replay of our webinar, AI + HEALTHCARE: THE EVOLVING CYBERSECURITY EQUATION for more information on the nature of AI risks and defining a relevant security strategy. 

Prediction 3 

At the onset of remarkable disruption, specialized frameworks will enable industry professionals to begin developing a consensus on security standards for AI. 

Frameworks for secure AI emerge as an early solution to address the unique cybersecurity issues the healthcare industry faces with the use of machine learning and similar mechanisms. By offering a unified structure, these frameworks enable industry professionals to have more coordinated discussions about the appropriate controls for AI systems.  

Secure AI frameworks driven by the likes of NIST and ISO provide a roadmap to assess risks, implement preventive measures, and ensure continuous monitoring of AI systems, helping to prevent unauthorized access or manipulation of sensitive healthcare data or models. These frameworks promote the use of frequently-referenced controls such as encrypted data transmission, secure data storage, and strong authentication protocols – whilst also highlighting the need for new dedicated mechanisms like data science pipeline security. 

Additionally, these frameworks can provide guidance on how to employ AI responsibly, ensuring its application aligns with patient privacy requirements and similar outlines. Consequently, the adoption of secure AI frameworks could significantly enhance the resilience of healthcare systems against cyber threats, protecting both the integrity of the industry and the trust of patients. 

It is worth noting that the existing (and most in-development) frameworks relevant to the security of AI are largely targeted towards organizations who maintain or develop machine learning or AI capabilities inhouse.  

For organizations who rely upon third-party services or toolkits with AI functions, it is unknown whether a consensus (and frameworks) will be developed to address these specific use cases outside of the already critical third-party risk vector and common controls like agreement scrutiny, vendor vetting, etc. 

Read our article on Addressing AI Cybersecurity Risks in Healthcare Organizations for insight on NIST’s recent AI Risk Management framework and the implications for security functions. 

Prediction 4 

Public incentive programs and guidelines for security functions reach a new level of maturity with the adoption and growth of tools like HICP, CISA CPGs, and the HPH Cybersecurity Toolkit. 

The Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS), along with other key agencies, have been making strides toward defining what constitutes “reasonable security practices” within the healthcare sector. One of the key tools being utilized for this purpose is the Health Industry Cybersecurity Practices (HICP).  

HICP aims to provide a comprehensive guide with ten practical cybersecurity tactics to safeguard the healthcare industry.  

These tactics include: 

1. Email protection systems 
2. Endpoint protection systems 
3. Access management 
4. Data protection and loss prevention 
5. Asset management 
6. Network management 
7. Vulnerability management 
8. Incident response 
9. Medical device security 
10. Cybersecurity policies 

Moreover, the HICP encourages the voluntary sharing of cybersecurity threat information among healthcare organizations. 

In a similar vein, the Cybersecurity and Infrastructure Security Agency (CISA) is developing Cybersecurity Practice Guides (CPGs), which are shared across the healthcare industry to promote reliable methods to tackle cybersecurity challenges.  

Separately, the HPH Cybersecurity Toolkit is another resource that provides a plethora of cybersecurity best practices, aiming to aid healthcare organizations in understanding their vulnerabilities and effectively implementing cybersecurity measures.  

By defining "reasonable security practices," these tools have made it possible for organizations to identify and understand the cybersecurity measures they should be implementing, enabling them to better protect sensitive patient data. These authoritative references also lower the barrier to entry for independent organizations to identify meaningful security directions and best practices in their own environments, signifying a continued national priority for infrastructure defense and data protection at large. 

Furthermore, there is a growing trend towards incentivizing adherence to such practices, with the HHS’ Administration for Strategic Preparedness and Response (ASPR) stating their commitment to both an upfront investments program and general incentives program (similar to Promoting Interoperability) for implementing essential CPGs. 

In the ever-dynamic security domain, programs like these can go a long way in fostering a more proactive cybersecurity culture within the healthcare industry specifically, and incentives programs deliver a meaningful way for organizations without substantial resources to adapt and grow. 

Read our article on HHS Driving Cybersecurity Enhancements for Healthcare and Public Health Sectors for more information.  

Prediction 5 

An eventful election year and significant world events (Olympics and more) will trigger an increase in malicious activity from both non-affiliated and state-sponsored attackers. 

As we approach the 2024 election cycle, the digital landscape becomes increasingly fraught with malicious activities. Besides the usual host of cybercriminals, we now see an uptick in state-sponsored cyber activities targeting the healthcare sector.  

With over 41% of the global population set to vote during the 2024 calendar year, opportunist actors and nation-states look to impact both critical sectors (e.g., election systems, and healthcare) and influence the general populace. 

This trend will take many forms and be relatively far-reaching, not simply limited to election interference but a greater increase in malicious activity across borders. Nation-states (notably China and Russia) will continue to push the envelope in espionage and increasingly sophisticated campaigns to disrupt or divert economic development – a space where independent organizations and R&D firms remain at risk. 

Google anticipates a notable increase in zero-day attacks on enterprise organizations and private entities – and notes that it’s likely for attackers to take advantage of events like the Summer Olympics in Paris to maximize their impact and reconnaissance capabilities.  

This heightened activity exploits the sector's vulnerabilities, particularly those related to the rapid integration of technology in healthcare systems. State actors, bearing sophisticated tools and tactics, manipulate the trust of patients and healthcare professionals, aiming to disrupt election processes, propagate disinformation, and even influence election outcomes.  

Moving forward, it becomes even more crucial for healthcare organizations to implement robust cybersecurity measures, including guidelines from government agencies like the OCR, HHS, and CISA. Only through a proactive and vigilant approach can the healthcare industry safeguard itself from these imminent threats, ensuring the integrity of healthcare services and protecting the confidentiality and trust of patients during critical election periods. 

For more information, consider reviewing the Department of Homeland Security’s 2024 Homeland Threat Assessment – a report that details the critical infrastructure at risk and key trends to anticipate from a defense perspective.  

Prediction 6 

Personal liability implications outlined in new and evolving regulations (per the SEC, FDA, FTC) in the event of non-transparency by CISOs add to already compounding pressures. 

Increased regulatory scrutiny from organizations such as the Securities and Exchange Commission (SEC), the Food and Drug Administration (FDA), and the Federal Trade Commission (FTC) is adding to the mounting pressure on Chief Information Security Officers (CISOs). These regulatory bodies are pushing for personal liability of CISOs who are not completely transparent about the state of their organization's security program.  

These regulations demand that CISOs disclose any vulnerabilities, breaches, or incidents that could potentially compromise patient data or disrupt healthcare services. Noncompliance with these requirements can result in hefty fines and, in some cases, legal action.  

Given a significant uptick in the cyber-centric activity of regulatory bodies – the SEC’s newly effective breach reporting guidelines, as an example – it seems the previous wave of ‘guidelines’ and ‘recommendations’ from these entities will likely shift to focus on enforceable mechanisms. This shift will certainly increase the burden on compliance and legal functions for certain firms and hopefully trigger increased prioritization of security objectives in the board room.  

These developments also underscore the need for CISOs to adopt a proactive approach to cybersecurity, prioritizing transparency, continuous monitoring, and compliance with regulatory standards to maintain the health of their organization's security program. For smaller firms or inexperienced security teams, fractional CISO offerings have also seen a significant uptick in popularity and present an interesting solution for contending with complex or strategic issues in small-to-moderate but complex organizations. 

Read our article on The Importance of Sound Risk Management in the Wake of the SEC's Recent Charge Against SolarWinds for more information. 

Prediction 7 

Supply chain vulnerabilities will remain a primary source of breaches in healthcare, and security teams will scramble to develop or acquire scalable solutions. 

Vulnerabilities in the supply chain or vendor-managed devices have emerged as a primary source of breaches in the healthcare industry, posing a significant challenge for security teams. The expansive and interdependent nature of healthcare supply chains, coupled with the increasing integration of technology and software, exposes multiple weak points that cyber attackers can exploit.  

With an annual increase of roughly 26% between 2022 and 2023 in the number of supply chain breaches, it’s evident this trend is likely to continue in a substantial way. 

Dissemination of counterfeit medical devices, the compromise of sensitive patient information, and the interruption of critical healthcare services are among the risks associated with these vulnerabilities.  

As the threat landscape continues to evolve, security teams are under pressure to ideate, develop, and implement scalable and adaptable solutions that can effectively thwart these attacks. This includes rigorous vendor risk assessments, the implementation of more stringent security protocols, and the cultivation of a security-conscious culture throughout the supply chain.  

The challenge not only lies in fortifying the defense mechanism against current threats but also ensuring it is resilient enough to withstand future, more sophisticated attacks. 

Finding a meaningful solution requires an understanding of the issues that currently plague third-party risk functions – for more detail check out this analysis. 

Prediction 8 

Cloud adoption for services and infrastructure will continue at a rapid pace – and the migration will continue to introduce third-party challenges. 

The scope and complexities of third-party risk have continued to shift as more organizations seek to ‘off-load’ some responsibility with a migration to cloud environments, outsourcing key operations to service providers, and moving their infrastructure and data to the cloud. While these transitions can enhance operational efficiency and patient care, they can also expose healthcare systems to new vulnerabilities and promote a false sense of comfort. 

The increased interconnectivity with third-party service providers expands the attack surface, while the shift to cloud storage requires robust data security protocols to protect sensitive patient information.  

Additionally, the move to cloud or acquisition of cloud-based services will often lead to confusion or false assumptions regarding the shared responsibility model (SRM). In effect, inexperienced security leaders or personnel make assumptions regarding data stewardship, compliance implications, or even data security controls outright and may (errantly) interpret cloud services as a way to shirk ownership of the risks with managed data. 

Properly vetting your cloud service provider or a cloud-based partner is critically important and will be a consistent priority for 2023 – mirroring the seventh prediction on our list – but ensuring the necessary skillsets for cloud security are on hand is equally important. While not wholly unique to on-premises operations, the nuances within cloud security (like the SRM) can contribute greatly to a negative outcome if not properly understood and managed. 

Adopting such strategies will not only minimize the risk of data breaches but also ensure regulatory compliance efforts are appropriately scoped and managed, thereby protecting both the healthcare organizations and the patients they serve. 

Supplemental guidance on key cloud activities is available here. 

Prediction 9 

In a welcome change, rising cyber insurance costs will stall and begin to level out. 

In a notable shift, cyber insurance costs have begun to level out after witnessing astronomical increases over the previous two years. This trend signifies a degree of stability entering into the cyber insurance market, following a period of rampant upticks driven by the escalating threat of cyber-attacks.  

With increases between 100% and 200% in years prior, this will be a welcome change for CFOs everywhere – although the volatility is not a surprise given the relative infancy of cyber liability as an insurance segment. The language and scope of agreements has also begun to normalize, ensuring fewer discrepancies in enforcement decisions or payment outcomes. 

Insurers, initially wary of the volatile nature of cyber risks, have now gathered sufficient data and understanding to price their policies more accurately. This is a promising development for healthcare organizations as it could mean increased accessibility and affordability of cyber insurance, helping them further mitigate their cyber risk exposure.  

However, it's important to remember that while insurance is a crucial part of the risk management strategy, it should not substitute for proactive and robust cybersecurity measures. 

Prediction 10 

Challenging market conditions will require budget-tightening and limit growth of enterprise security functions. 

In the face of challenging market conditions, budget constraints often necessitate a freeze or reduction in the growth of enterprise security functions. This can place healthcare and security organizations in a precarious position, as the need for mature cybersecurity measures is more pressing than ever.  

An anticipated annual increase of 14.3% in end-user spending on security and risk management is expected in 2024 – although the nature of that increase is likely to be complicated by rising pressure on private equity and venture capital-backed security startups, with decreased valuations and layoffs plaguing last year and anticipated to continue through the near future. 

Organizations are compelled to achieve more with less, striving for improved security postures with constrained budgets. This calls for innovative strategies that maximize the use of existing resources.  

Prioritizing security initiatives based on risk levels, utilizing cost-effective open-source tools, and investing in employee cybersecurity training can help organizations enhance their security without significant financial investment.  

Furthermore, forging partnerships with external security providers can enable access to specialized services and state-of-the-art technologies at a fraction of the cost of developing these capabilities in-house. While challenging, these budget constraints can serve as a catalyst for organizations to devise creative, cost-effective methods to manage their cybersecurity needs. 

View our Top 10 Healthcare Cybersecurity Predictions for 2024 infographic!

Honorable Mentions 

Keeping this list limited to a ‘Top 10’ can be challenging as trends rapidly evolve. These honorable mentions are important to highlight and are worth keeping on your radar heading into the new year.  

• Global conflict may lead to a decrease in volume of cyber-attacks from nation states against American businesses but a higher impact from successful attacks due to sophisticated TTPs that are either proven out in wartime or via unintentional bleed over outside of the conflict zones. 
• Security vendors begin a multi-year consolidation trend as private equity and venture capital funding is harder to obtain due to rising interest rates.  
• More organizations evaluate obtaining validated assurances like HITRUST and SOC2 to independently prove their security programs, and more buyers begin accepting these assurances in lieu of lengthy TPRM control questionnaires. 
• Software Bill of Materials (SBOMs) begin to gain footing as the standard for managing the FDA rule on pre-market submission for medical devices - but there's still a long way to go. 
• A significant uptick in the prevalence of IoT-driven attacks for both consumers and enterprises occur as interconnectivity becomes a key feature for devices and platforms alike. 

As security leaders, staying ahead of these evolving trends will be paramount in safeguarding your organizations in 2024. If you need assistance planning for, assessing, or managing cybersecurity or privacy risk, contact our team to see how we can help! 

---

MORGAN HAGUE | MANAGER, IT RISK MANAGEMENT 

Morgan is an experienced security and emerging technologies consultant, with varied expertise across information security, organizational governance, and IT audit practices. As the leader of the Privacy, Cloud Advisory, and Strategic Risk Transformation service lines at Meditology, he has led and contributed to hundreds of consulting engagements across public and private entities. Since 2019, he has served as lead architect and product owner of an innovative risk quantification, analysis, and reporting solution utilizing MITRE ATT&CK and similar authoritative sources to establish a data-driven and dynamic mechanism to assess, report on, and manage organizational risk – supporting a variety of premier healthcare organizations, including the nation’s largest hospital system. Morgan is currently an executive board member with InfraGard Atlanta, and a contributor to OWASP’s AI Security Guide.