More than in any other sector, healthcare organizations are responsible for storing highly sensitive personal information and for this reason safeguarding patient data and systems is paramount. These insights explore cybersecurity considerations for the healthcare sector and share a perspective on the industry’s unique challenges and the way ahead for business leaders.
Amid new and evolving cyber threats, the stakes have never been higher for healthcare organizations. Globally, the sector has seen attacks intended to compromise patient data as well as weaken healthcare systems. Beyond sensitive information, cyber attackers are increasingly targeting capabilities linked to care delivery and patient experience. In instances of ransomware attacks, healthcare organizations cannot afford to lose time due to locked systems when lives are at stake.
The fact that the healthcare sector has historically been less prepared for cyber risks than other industries adds to the complexity. Many organizations have viewed technology as a back-office function, relying on legacy mainframe systems and outdated technology stacks.
Electronic health record systems (EHR) have become essential clinical technology that helps to improve patient access to health and services, enhance care quality and safety, streamline clinical workflows and support team-based collaboration. While these interoperable systems offer many benefits to healthcare systems, the very nature of the information they contain put them at risk for cyber-attacks.
Healthcare systems continue to encounter a wide range of cyber threats, such as ransomware and distributed-denial-of-service attacks. Opportunities for threat actors to execute these types of attacks often arise from various cybersecurity challenges faced by healthcare organizations, such as a lack of multifactor authentication, reliance on outdated systems, endpoint complexity, and insufficient security awareness and training, among many others.
Organizations will also be subject to increasing regulatory mandates around data security, privacy, and interoperability. Health systems, payors, and commissioners will have to work together to deliver on these imperatives. As leaders manage their transformation journeys, these will be critical areas. With a focus on resilience, regulatory compliance, and a roadmap for AI integration, cybersecurity leaders can play a pivotal role in transforming the integrity of the sector’s IT infrastructure.
About these insights
The insights that follow originate from the KPMG Cybersecurity considerations 2024 report and have been adapted to provide a healthcare sector perspective for Chief Technology and Information Officers and their teams to consider in supporting their organizations’ objectives and to mitigating the impact of specific cyber incidents and reducing overall cyber risk exposure.
Consideration 1: Align cybersecurity with organizational resilience
Healthcare organizations are seeing the urgency of robust cyber resilience, a capability that demands rapid, measured responses and proactive planning. Resilience in the healthcare sector is not just about maintaining operational capabilities but also preserving the confidence and trust of patients and stakeholders.
Organizations need a repeatable approach to tackling cyber threats’ dynamic nature, considering the sector's unique vulnerabilities and regulatory compliance requirements. KPMG research that compared healthcare technology function decision making with other industries, found that healthcare executives were 10 percent less likely than the cross-sector average to treat cybersecurity as a box-ticking exercise in staff training. Instead, they incorporate cybersecurity extensively across their organization to ensure trust.1
Data breaches – Protected health information (PHI) has always been a lucrative target for cybercriminals. PHI breaches can lead to medical fraud through manipulation of medical records or impersonation for access to prescription medications. This could result in reputational damage and erosion of patient trust.
Outdated technology – Extensive use of outdated technology and infrastructure often leaves the door open to vulnerabilities that cybercriminals can exploit. Revamping the technology function remains a costly and time-intensive endeavor and is often a barrier to change. However, the same KPMG research showed
Insufficient staff training – Given their education and job responsibilities, many healthcare employees may lack an understanding of basic cybersecurity protocols. Without adequate training, there is a greater risk of threats such as phishing.
Regulatory non-compliance – Around the world, healthcare organizations operate under strict regulatory rules regarding patient data. Failure to comply with these regulations can lead to severe penalties.
End point complexity – Healthcare systems have unique endpoint complexity challenges due to their large groups of employees and vast physical infrastructures. With this comes organizations having to manage the devices used by thousands of staff, patients, and visitors.
Interoperable EHRs – A recent research report by the Partnership for Healthcare System Sustainability and Resilience touted the benefits of establishing interoperable clinical databases and EHRs as a “goal of the utmost importance for all health systems”. This report also stated that these systems “have the potential to greatly improve the everyday care of patients and create a rich and complete source of population-wide data to aid with planning and implementation of services, as well as research and development of new technologies, including artificial intelligence”2. Inoperable EHRs also link to patient portals and permit remote access by medical staff, key to improving experiences for both audiences. While these interoperable systems offer many benefits to healthcare systems, the very nature of the PHI they contain put them at risk for cyber-attack.
Forward-looking investments – To counter the risk of data breaches, organizations are encouraged to invest in advanced data encryption technologies and data breach detection systems. More investment in these areas can help lay a robust foundation for cybersecurity. Based on the KPMG Global Tech report 2024, Healthcare is indeed leading all other industries in prioritizing and investing in next level security powered by web3 technologies such as blockchain and tokenization.3
Efficiency from greater digitalization – Increased digitalization and integration of emerging technologies such as AI can help improve operational efficiency and patient care.
Better training programs – Training programs that ensure all staff members are well-versed in leading cybersecurity practices can not only reduce cyber risk but also reinforce a culture of security.
Advanced software systems – To meet complex, evolving regulatory requirements, organizations should invest in more sophisticated, compliant infrastructure and software systems that are future ready.
Embedding resilience with manual processes or backup technology systems requires resources that large public organizations can afford, but smaller providers may struggle with. Even though data held by smaller organizations is just as valuable and vulnerable. In a recent research report the Partnership for Healthcare System Sustainability and Resilience flagged a need for “clear regulations on the interoperability of digital systems across healthcare providers and government systems”.4 It would also be beneficial for the healthcare sector globally to have a roadmap to elevate its overall security posture.
Consideration 2: Unlock the potential of AI — carefully
Healthcare leaders are looking at AI to address workforce shortages and find operational efficiencies in patient care and the broader ecosystem. With generative AI, alongside robotics and machine learning, making significant inroads, the sector is tasked with navigating the complex interplay of security, privacy, and ethical considerations inherent in these technologies.
The journey toward integrating AI into healthcare is fraught with challenges and peppered with unparalleled opportunities for innovation and enhanced service delivery. The overarching goal remains clear: leverage AI in a manner that upholds the highest standards of care, security and ethical responsibility.
Vulnerability to attacks – Existing AI systems may have vulnerabilities that can be exploited to access sensitive patient data. Threat actors can weaponize these vulnerabilities. For instance, AI could be manipulated to introduce bias in diagnostics or treatment planning, resulting in compromised patient care.
Privacy concerns – The extensive use of patient data by AI software raises considerable privacy concerns as AI inherently involves accessing, processing and storing large amounts of sensitive data. Some key concerns include:
- Data sharing across platforms – AI systems may need to share data across platforms or with other AI systems for better predictive modeling and analysis. Each data transfer point is a potential security vulnerability.
- Breach of informed consent – When using AI systems, patients may not fully understand what their data may be used for, such as in machine learning algorithms or predictive modeling. In these cases, there might be a breach of informed consent.
- De-identification and anonymization – AI can rely on de-identified or anonymized data for processing; however, with multiple datasets aggregated, it may be possible to re-identify anonymized data, which could compromise individual privacy.
Need for continuous monitoring – AI systems, due to their capacity for self-learning and making decisions, require continuous monitoring. This is required to check diagnosis accuracy, validate regulatory compliance and check for bias. This is especially important as AI is still in the early stages of integration within healthcare organizations.
Enhanced precision – With proper security controls in place to safeguard from malicious algorithms, AI can help improve accuracy of diagnostics and treatment planning.
Trust building – Strict data privacy policies around AI can help build patient trust in healthcare organizations by demonstrating their commitment to maintaining patient confidentiality.
Visibility into risks – Robust AI systems can also be integral to running continuous vulnerability assessments for broad organizational technology environments. With visibility into key issues, organizations can identify potential risks in a timely manner and take proactive measures.
While healthcare organizations remain keen on using AI to streamline operations and enhance efficiency, there are unique challenges in connection with using the technology in a manner that is compliant with healthcare data regulations such as the Health Insurance Portability and Accountability Act (HIPAA) in the US, the General Data Protection Regulation (GDPR) in Europe and the UK, the Privacy Act in Australia, and the Personal Information Protection and Electronic Documents Act in Canada. Custom AI systems that facilitate improved efficiency and effectiveness while adhering to regulatory mandates each organization's unique context can be the way forward.
Consideration 3: Modernize supply chain security
For healthcare leaders, the need to modernize supply chain security has never been more acute as traditional third-party and supply chain security models grapple with today’s complex, interdependent ecosystems. The notion that third parties operate merely on a transactional basis is a relic of the past. Today, APIs, advanced processes, and software-as-a-service dependencies demand a more strategic approach to supplier partnerships.
There is a greater need for continuous monitoring and managing the evolving risk profiles of suppliers. In doing so, the challenges of visibility, scalability and the evolving risk profile of third-party partners loom large. Amid these challenges, there is also an opportunity to reimagine supply chain security as a key business enabler with a comprehensive risk-based mindset and strategic application of intelligent automation.
Vulnerabilities across the supply chain – The healthcare supply chain's web of suppliers, manufacturers, and service providers compounds cybersecurity challenges. Each vendor might have varying cybersecurity maturity levels, making the entire supply chain vulnerable to the weakest link. Ensuring consistent security measures across such a diverse network remains difficult.
Lack of standardization – Interoperability and data sharing can pose security risks across the supply chain. The challenge is ensuring data flows securely between different systems, organizations, and devices. This not only requires robust encryption and secure data handling practices but also a level of standardization that is difficult to achieve.
An improved overall security posture – By demanding higher cybersecurity standards from vendors, healthcare organizations can not only improve their own security posture but also elevate the overall security standards within the sector. This can be achieved through implementing stringent cybersecurity criteria in procurement contracts, conducting regular audits and offering support for smaller vendors to meet these standards.
A more integrated and resilient network – By adopting comprehensive cybersecurity frameworks and promoting interoperability standards, healthcare organizations can create a more cohesive and secure supply chain. This integration can facilitate better data sharing and collaboration, making the supply chain more adaptable to changes and better equipped to respond to cybersecurity threats.
While modernizing supply chain security remains critical, the days of lengthy and manual risk assessments are fading into the past as they are neither financially nor operationally scalable. New technologies and tools are continually improving the ability to diagnose cyber risk and triage vendor focus areas, reducing the manual effort required and allowing for more bandwidth on resiliency efforts.
Real-world cybersecurity in the healthcare sector
In early 2024, a major MedTech company suffered a cyber breach. The attack caused serious issues for several providers and continued to disrupt key operations for months, highlighting the vulnerability of healthcare organizations and illustrating that even large market leaders were susceptible to advanced cyber threats.
As a result of the attack, providers could not process claims and collect payment from insurers. In addition to financial impacts, the attack delayed pre-authorization, verification of coverage, and prescription-filling processes, which affected patient care. While the company restored certain services, there continues to be an issue with a backlog of claims and financial disruptions for providers.
This incident increased scrutiny of healthcare cybersecurity practices, leading healthcare organizations to strengthen their security infrastructure and prioritize continuous monitoring and threat detection capabilities to identify potential cyber threats faster.
Many companies are working to enhance their cybersecurity measures by reviewing technical access controls, revisiting incident response plans, incorporating comprehensive security awareness training, establishing off-site backup systems and prioritizing regular updates and patches for hardware and software assets in their environment.
Key takeaways for healthcare leaders
- Healthcare involves life and death decision making. Healthcare organizations cannot afford to have locked systems when lives are at stake. To improve organizational resiliency, comprehensive incident response plans are needed that outline procedures to identify, contain, eradicate and recover from various cyberattacks.
- As the industry embraces technology with a focus on improving patient outcomes and experiences, establishing governance frameworks and ethical guidelines for the user and development of AI in healthcare operations, ensuring robust data privacy and security measures.
- With complex, interdependent ecosystems, healthcare organizations need to be able to assess the security posture of third parties and implement continuous monitoring plans to promptly detect and address potential supply chain vulnerabilities.
How KPMG can help
Increasingly healthcare organizations are turning to technology to address the many challenges they face. Technology makes many things possible, but possible doesn’t always mean safe. As cyber threats grow in volume and sophistication, technology becomes essential for meeting the needs of patients, and managing the expectations of providers, staff and health system partners.
KPMG firm professionals work with healthcare organizations around the world to help address market challenges, provide in-depth industry perspectives, assess cybersecurity programs, develop advanced digital solutions, advise on the implementation and monitoring of ongoing risks, and help design appropriate responses to cyber incidents.
Get in touch to learn more about how KPMG’s cyber security services can help meet your organization’s current and future needs.
Author
Anurag Rai
Global lead, Cyber security in healthcare, KPMG International; Principal, Advisory, Cyber Security Services
KPMG in the U.S.
2 Partnership for Healthcare System Sustainability and Resilience. (2023). Key findings from country reports: Building sustainable and resilient health systems.
4 Ibid.
