Hacked to Death: The Urgent Need for Healthcare Cybersecurity Reform

Imagine you are rushed to the hospital, fighting for your life, only to have your treatment delayed because the staff cannot find your records. The reason? Hackers have crippled the hospital’s electronic systems, breaching millions of patient records, including yours. This is not a rare nightmare — it is a reality. By April 2024, 32.5 million patient records had already been breached, a number that climbs with every passing day.

This is not just about stolen data but about lives hanging in the balance. In February, Change Healthcare paid $22 million in ransom to hackers who held its systems hostage. It is a stark reminder that our healthcare system is an open target — ready to pay any price to protect lives yet utterly unprepared to fend off the next attack. Cybersecurity in healthcare is not just about technology; it is about people. Human error remains a vulnerability despite sophisticated defenses, contributing to 68 percent of malware attacks. Despite their best efforts, hospitals often return to minimal cyber training after attacks, only to fall back into survival mode after an attack. Simple phishing prevention emails are not cutting it. The healthcare sector needs to wake up to the urgent need for effective, comprehensive cyber training.

Yet the current state of cybersecurity training in healthcare is abysmal. The Health Insurance Portability and Accountability Act (HIPAA) offers flexible but woefully insufficient guidelines. Only 37 percent of hospitals conduct annual cybersecurity drills despite overwhelming evidence that effective learning requires reinforcement. When training is infrequent and impersonal, hospital staff remain ill-prepared for the relentless tide of cyber threats. The truth is that our policies are too weak. HIPAA’s vague training requirements, with no mandatory session numbers, leave a gaping hole in our defenses. As a result, 56 percent of healthcare organizations allocate less than 10 percent of their IT budget to cybersecurity. The lack of structured training fosters a culture of neglect, where cybersecurity is seen as an inconvenient task rather than a critical responsibility.

Several key recommendations can address the urgent need for enhanced cybersecurity in the healthcare sector. First, healthcare institutions must prioritize comprehensive cybersecurity training tailored to the industry’s unique challenges. This training should be adaptable to different healthcare environments, particularly for small and rural providers that may lack the resources of larger institutions.

Equally important is a thorough analysis of the cybersecurity workforce shortages by the sector risk management agency for healthcare, the Department of Health and Human Services. Addressing these gaps, especially in resource-limited rural areas, is critical. By investing in workforce development and ensuring healthcare providers have access to skilled cybersecurity professionals, the sector can better protect patient data and maintain the integrity of essential services.

Finally, continuous learning is crucial in the healthcare sector due to the rapidly evolving nature of cyber threats. Regular cybersecurity drills and simulation exercises are not just necessary — they are vital. These exercises should mirror real-world cyberattack scenarios, enabling staff to refine their response strategies and identify emerging protocol weaknesses continually. By conducting these drills frequently, healthcare teams can stay prepared to act swiftly and effectively during cyber incidents, addressing vulnerabilities before they can be exploited. This ongoing practice is essential for reinforcing cybersecurity awareness and readiness culture, ensuring that healthcare institutions remain resilient in the face of ever-changing threats.

The health industry cannot afford to ignore this. The Department of Homeland Security’s strategic guidance emphasizes resilience in critical infrastructure. It is time to apply the same rigor to our healthcare system. This means adopting a more stringent, structured approach to cyber training and policy implementation. It is not just about protecting patient data but about ensuring that hospitals can save lives, even when their systems are under siege.

Dr. Georgianna Shea is the chief technologist of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Zachary Daher served as a summer 2024 intern. Mr. Daher is a cyber science student at the United States Military Academy at West Point.