Cybersecurity Considerations 2024: Healthcare sector

Amid new and evolving cyber threats, the stakes have never been higher for healthcare organizations. The sector has seen attacks intended to compromise patient data as well as weaken the healthcare system. Beyond sensitive information, cyber attackers are increasingly targeting the capabilities of the healthcare system linked to the delivery of care and the patient experience. In instances of ransomware attacks, healthcare organizations cannot afford to lose time due to locked systems when lives are at stake.

The fact that the healthcare sector has historically been less prepared for cyber risks than other industries adds to the complexity. Many organizations have viewed technology as a back-office function, relying on legacy mainframe systems and outdated technology stacks.

However, with changing expectations around the patient experience, healthcare organizations are adopting newer technologies such as Internet of Things (IoT) devices and artificial intelligence (AI), although often without a complete understanding of the risks.

Healthcare companies continue to encounter a wide range of cyber threats, such as ransomware and distributed-denial-of-service attacks. Opportunities for threat actors to execute these types of attacks often arise from various cybersecurity challenges faced by healthcare organizations, such as a lack of multifactor authentication, reliance on outdated systems, and insufficient security awareness and training, among many others.

Organizations will also be subject to increasing regulatory mandates around data security, privacy, and interoperability. Health systems and insurers will have to work together to deliver on these imperatives. As leaders manage their transformation journeys, these will be critical areas. With a focus on resilience, regulatory compliance, and a roadmap for AI integration, cybersecurity leaders can play a pivotal role in driving growth.

This report explores cybersecurity considerations for the healthcare sector. It shares a perspective on the industry’s unique challenges and the way ahead for business leaders.

Consideration 1: Align cybersecurity with organizational resilience

Healthcare organizations are seeing the urgency of robust cyber resilience, a capability that demands rapid, measured responses and proactive planning. Resilience in the healthcare sector is not just about maintaining operational capabilities but also preserving the confidence and trust of patients and stakeholders. Organizations need a repeatable approach to tackling cyber threats’ dynamic nature, considering the sector's unique vulnerabilities and regulatory compliance requirements.

Data breaches – Protected health information (PHI) has always been a lucrative target for cybercriminals. PHI breaches can lead to medical fraud through manipulation of medical records or impersonation for access to prescription medications. This could result in reputational damage and erosion of patient trust.

Outdated technology – Extensive use of outdated technology and infrastructure often leaves the door open to vulnerabilities that cybercriminals can exploit. Revamping the technology function remains a costly and time-intensive endeavor.

Insufficient staff training – Given their education and job responsibilities, many healthcare employees may lack an understanding of basic cybersecurity protocols. Without adequate training, there is a greater risk of threats such as phishing.

Regulatory non-compliance – The healthcare industry operates under strict regulatory rules regarding patient data. Failure to comply with these regulations can lead to severe penalties.

Forward-looking investments – To counter the risk of data breaches, organizations are encouraged to invest in advanced data encryption technologies and data breach detection systems. More investment in these areas can help lay a robust foundation for cybersecurity.

Efficiency from greater digitalization – Increased digitalization and integration of emerging technologies such as AI can help improve operational efficiency and patient care.

Better training programs – Training programs that ensure all staff members are well-versed in leading cybersecurity practices can not only reduce cyber risk but also reinforce a culture of security.

Advanced software systems – To meet complex, evolving regulatory requirements, organizations should invest in more sophisticated, compliant software systems that are future ready.

Embedding resilience with manual processes or backup technology systems requires resources that large public organizations can afford, but smaller providers may struggle with. This even though data held by smaller organizations is just as valuable and vulnerable. The entire sector needs a roadmap to elevate its overall security posture.

Consideration 2: Unlock the potential of AI – carefully

Healthcare leaders are looking at AI to transform operational efficiencies, patient care and the broader ecosystem. With generative AI, alongside robotics and machine learning, making significant inroads, the sector is tasked with navigating the complex interplay of security, privacy, and ethical considerations inherent in these technologies.

The journey toward integrating AI into healthcare is fraught with challenges and peppered with unparalleled opportunities for innovation and enhanced service delivery. The overarching goal remains clear: leverage AI in a manner that upholds the highest standards of care, security and ethical responsibility

Vulnerability to attacks – Existing AI systems may have vulnerabilities that can be exploited to access sensitive patient data. Threat actors can weaponize these vulnerabilities. For instance, AI could be manipulated to introduce bias in diagnostics or treatment planning, resulting in compromised patient care.

Privacy concerns – The extensive use of patient data by AI software raises considerable privacy concerns as AI inherently involves accessing, processing and storing large amounts of sensitive data. Some key concerns include:

Data sharing across platforms – AI systems may need to share data across platforms or with other AI systems for better predictive modeling and analysis. Each data transfer point is a potential security vulnerability.

Breach of informed consent – When using AI systems, patients may not fully understand what their data may be used for, such as in machine learning algorithms or predictive modeling. In these cases, there might be a breach of informed consent.

De-identification and anonymization – AI can rely on de-identified or anonymized data for processing; however, with multiple datasets aggregated, it may be possible to re-identify anonymized data, which could compromise individual privacy.

Need for continuous monitoring – AI systems, due to their capacity for self-learning and making decisions, require continuous monitoring. This is required to check diagnosis accuracy, validate regulatory compliance and check for bias. This is especially important as AI is still in the early stages of integration within healthcare organizations.

Enhanced precision – With proper security controls in place to safeguard from malicious algorithms, AI can help improve accuracy of diagnostics and treatment planning.

Trust building – Strict data privacy policies around AI can help build patient trust in healthcare organizations by demonstrating their commitment to maintaining patient confidentiality.

Visibility into risks – Robust AI systems can also be integral to running continuous vulnerability assessments for broad organizational technology environments. With visibility into key issues, organizations can identify potential risks in a timely manner and take proactive measures.

While healthcare organizations remain keen on using AI to streamline operations and enhance efficiency, there are unique challenges in connection with using the technology in a manner that is compliant with healthcare data regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). Custom AI systems that facilitate improved efficiency and effectiveness while adhering to regulatory mandates each organization's unique context can be the way forward.

Consideration 3: Make identity individual, not institutional

For healthcare leaders, the need to modernize supply chain security has never been more acute as traditional third-party and supply chain security models grapple with today’s complex, interdependent ecosystems. The notion that third parties operate merely on a transactional basis is a relic of the past. Today, APIs, advanced processes, and software-as-a-service dependencies demand a more strategic approach to supplier partnerships.

There is a greater need for continuous monitoring and managing the evolving risk profiles of suppliers. In doing so, the challenges of visibility, scalability and the evolving risk profile of third-party partners loom large. Amid these challenges, there is also an opportunity to reimagine supply chain security as a key business enabler with a comprehensive risk-based mindset and strategic application of intelligent automation.

Vulnerabilities across the supply chain – The healthcare supply chain's web of suppliers, manufacturers, and service providers compounds cybersecurity challenges. Each vendor might have varying cybersecurity maturity levels, making the entire supply chain vulnerable to the weakest link. Ensuring consistent security measures across such a diverse network remains difficult.

Lack of standardization – Interoperability and data sharing can pose security risks across the supply chain. The challenge is ensuring data flows securely between different systems, organizations, and devices. This not only requires robust encryption and secure data handling practices but also a level of standardization that is difficult to achieve.

An improved overall security posture – By demanding higher cybersecurity standards from vendors, healthcare organizations can not only improve their own security posture but also elevate the overall security standards within the sector. This can be achieved through implementing stringent cybersecurity criteria in procurement contracts, conducting regular audits and offering support for smaller vendors to meet these standards.

A more integrated and resilient network – By adopting comprehensive cybersecurity frameworks and promoting interoperability standards, healthcare organizations can create a more cohesive and secure supply chain. This integration can facilitate better data sharing and collaboration, making the supply chain more adaptable to changes and better equipped to respond to cybersecurity threats.

While modernizing supply chain security remains critical, the days of lengthy and manual risk assessments are fading into the past as they are neither financially nor operationally scalable. New technologies and tools are continually improving the ability to diagnose cyber risk and triage vendor focus areas, reducing the manual effort required and allowing for more bandwidth on resiliency efforts.

Real-world cybersecurity in the healthcare sector

In early 2024, a major MedTech company suffered a cyber breach. The attack caused serious issues for several providers and continued to disrupt key operations for months, highlighting the vulnerability of healthcare organizations and illustrating that even large market leaders were susceptible to advanced cyber threats.

As a result of the attack, providers could not process claims and collect payment from insurers. In addition to financial impacts, the attack delayed pre-authorization, verification of coverage, and prescription-filling processes, which affected patient care. While the company restored certain services, there continues to be an issue with a backlog of claims and financial disruptions for providers.

This incident increased scrutiny of healthcare cybersecurity practices, leading healthcare organizations to strengthen their security infrastructure and prioritize continuous monitoring and threat detection capabilities to identify potential cyber threats faster.

Many companies are working to enhance their cybersecurity measures by reviewing technical access controls, revisiting incident response plans, incorporating comprehensive security awareness training, establishing off-site backup systems and prioritizing regular updates and patches for hardware and software assets in their environment.

Top priorities for TMT security professionals

Develop comprehensive incident response plans that outline procedures to identify, contain, eradicate and recover from various cyberattacks.
Establish governance frameworks and ethical guidelines for the user and development of AI in healthcare operations, ensuring robust data privacy and security measures.
Assess the security posture of third parties and implement a continuous monitoring plan to promptly detect and address potential supply chain vulnerabilities.

How this connects to what we do

In addition to assessing your cybersecurity program and ensuring it aligns with your business priorities, KPMG professionals can help healthcare organizations develop advanced digital solutions, advise on the implementation and monitoring of ongoing risks and help design the appropriate response to cyber incidents.

KPMG professionals are adept at applying cutting-edge thinking to healthcare companies’ most pressing cybersecurity needs and developing custom strategies that are fit for purpose. With technology that is secure and trusted, KPMG professionals offer a broad array of solutions including cyber cloud assessments, privacy automation, third-party security optimization, AI security, and managed detection and response.