What is Cyber Espionage and why is it so concerning?

It's often said that there are two types of healthcare organizations, those that know they have been hacked and those that are still ignorant of the fact. In other words, just about everyone has already been hacked at least once by now - payers, providers and life sciences.

But while cyberattacks against availability of IT systems and data - principally Denial of Service (DOS) and Ransomware cyber extortion attacks, seem to make the headlines almost every week, there are other stealthier attacks taking place in the background, almost constantly in fact. This involves the exfiltration of non-public data. Sometimes this is used for extortion in secondary and tertiary ransomware demands with the threat to release confidential non-public data unless an additional ransom is payed to the criminal perpetrators. Other times it is for the sale and monetization of data - patient identities, their prescriptions which can be filled and sold on the street, or other PHI or PII data - employee banking information for example. And sometimes perpetrators deliberately search for high value intellectual property data. This last category is usually referred to as 'cyber espionage', and only occasionally makes the front page of the press, usually then only when some government official makes a stink about the sheer levels of cyber espionage and intellectual property theft taking place.

The Art of Espionage

'Espionage' according to the Oxford Dictionary is the practice of spying or of using spies, typically by governments to obtain political and military information.

So 'cyber espionage' is chiefly about obtaining political and military information, not by the use of spies like 007 James Bond, but by means of cyber attacks and infiltration of non-public information systems.

The advent of the internet and the connectivity of government and health systems to the internet has made cyber espionage that much easier. You no longer need someone on-site or in-country - an insider threat,  spy or double agent to obtain valuable information. KGB spies like Rudolf Abel, Kim Philby, Oleg Gordievsky, Aldrich Ames, and Anna Chapman for example.

Today all governments spy on one another - even between friends and allies. The US NSA was accused of hacking and listening into the French President’s cell phone some years ago according to Wikileaks, and at that time at least, before the tariff war, France and the USA were friends and allies.

The USA spies on Iran to ascertain the level of uranium enrichment it has achieved since Trump in his first term pulled out of the Iran Nuclear Deal thinking he could negotiate a better deal and failed. The USA also spies on China, North Korea and Russia about each's military capabilities and a wide variety of other useful data points and strategic moves.

The Art of Cyber Espionage and IP Theft

But countries also occasionally spy on other forms of data. Enter the Peoples Republic of China and the huge revelation exposed by the Mandiant APT1 Report in 2013. If you have not read this or a summary of this report you really should do. It changed the game and our understanding of cyber espionage against commercial businesses.

APT1 is otherwise known as PLA Unit 61398 (61398部队) a military unit of the Chinese Communist Party, Peoples Liberation Army. These aren’t criminal hackers they are employees of the Chinese Communist State. They are paid to hack, but not just government or military secrets - in this case intellectual property and commercial trade secrets from businesses in other countries.

China is famous for its Great Leap Forward, Mao’s attempt between 1959 to 1961 to take China from a feudal agrarian society to an industrial powerhouse. It failed and resulted in the death of 45 million people who mostly starved to death, under Mao’s ill-conceived and badly run collective agriculture and industry policy. (That’s more than double the total number of soldiers to die during WWII across all theaters to provide some perspective just how big a human calamity this was.)

After decades of isolation from the rest of the world, China has since the 1990s, once again been attempting another Great Leap Forward through rapid modernization and industrialization becoming the factory of the world for consumer goods. This time around however, China largely succeeded and has taken millions of its people out of abject poverty, through industrialization, urbanization and education.

Ownership of the Means of Production

But in China the 'means of production' is owned almost entirely by the state. CCP state owned industries dominate and even hold a majority share in joint ventures with global firms which are only allowed to own a 49% stake.

The ruling CCP also puts together 5 year plans. These ambitious documents usually discuss how China will be the global leader in EVs, or the largest manufacturer of pharmaceutical drugs, or the global leader in aeronautical engineering, etc.

But to reach these lofty goals, to make up for the lost years of communist isolationism and stagnation under Mao, and a lack of history, knowledge and experience, China has had to obtain technologies, manufacturing standards, and a heap of other proprietary commercial trade secrets from world leaders outside of the PRC - usually by what ever means at its disposal. Mostly this means through 'cyber espionage' and supplemented by process and procedure skills brought back from Chinese diaspora working overseas.

According to a 2022 report by Cybereason one China state actor alone, APT41, has siphoned off trillions of US dollars in intellectual property theft from approximately 30 multinational companies within the manufacturing, energy and pharmaceutical sectors. The Cybereason investigation entitled 'Operation CuckooBees' was shared with the FBI, and discovered APT41 'stealing IP of drugs around diabetes, obesity, depression.' Cybercriminals were focused on obtaining blueprints for cutting-edge technologies, the majority of which were not yet patented, the report stated.

Chinese IP theft has included the theft of pharmaceutical drug formations, clinical trail methodologies and practices, manufacturing IP and much, much else. It has short-cut 50 plus years of IP development by global pharmaceutical companies, sometime including experimental drugs developed at over a decade or more at the costs of hundreds of millions of dollars, pounds and euros in R&D. China has even patented some these stolen experimental drugs and attempted to sell them back to the global markets that invented them and financed their research.

Levels of Cyber Espionage and IP Theft

Between 2018 and 2019, Bayer and Roche were both targeted by nation-state APT cyber attacks, aimed at industrial espionage, and attempting to steal valuable intellectual property. Both companies claimed to have contained the breaches without significant data or intellectual property loss, but other biotech and pharmaceutical organizations have fared less well.

During COVID-19, both China, and to a lesser extent Russia, Iran, and the DPRK, were discovered to be attacking US, UK, German and other hospitals and bio-labs, in an attempt to steal cutting edge research into vaccine development and treatment regimens. This resulted in CISA, the US Cybersecurity Infrastructure Security Agency, having to issue a warning about cyberattacks by China and others.

Intellectual property theft through cyber espionage for the Peoples Republic of China is strategic, state directed and financed, and seen as being critical for national development. Commercial trade secrets are stolen by the Chinese army and passed directly to army run state owned industries. These industries then leverage stolen research, or copy IP for incorporation in new pharmaceutical drugs and other products, which can then be sold on domestic or even overseas markets.

According to the US Select Committee on the Chinese Communist Party, Chinese intellectual property theft was in 2023, estimated to cost the US taxpayer $600 billion per year. This is why 'cyber espionage' is considered so important today for both China which is acquiring it, and the rest of the world which is losing it through cyber theft.

China though is not just engaged in IP theft. Many of its cyber espionage attacks have been focused upon leverage in state negotiations. The cyberattack against Singapore Health (SingHealth in 2018) resulted in the theft of not only medical records but also prescription records for the Prime Minister and his entire cabinet. Again, this was a CCP China advanced persistent threat (APT) attack not to sell the exfiltrated data but to use it as leverage in Sino-Singapore trade negotiations.

Read More

The Change Healthcare Breach & the Need to Secure Third Party Vendors

The Change Healthcare cyberattack, which exposed data of an estimated 190 million people, cost UnitedHealth Group (UHG) around $2.87 billion in 2024, including $1.7 billion in direct response costs. Final costs after all the regulatory and punitive fines, damages, and restitution could be much higher, as with any healthcare breach.

This was obviously a landslide attack - bigger and more impactful than all other healthcare cyberattacks anywhere in the world. This attack by Russian group ALPHV completely overshadowed the Chinese theft of 78.8 million medical records during a 2015 cyberattack against Anthem, now Elevance Health – at the time the largest healthcare data breach in history.

While any cyber-attack against a critical national infrastructure industry like healthcare is huge, the impact of the Change breach impacted the Availability of healthcare services for a significant percentage of Americans who were unable to receive approval for medical procedures or even to pick up their pharmaceutical prescriptions. Yet our healthcare regulations which date from 1996 are myopically focused on the protection of Confidentiality – something that is already lost to the vast majority of Americans thanks to countless overlapping cyber attacks.

When all is said and done and dust finally clears after the Change attack, a number of smaller hospitals, clinics and other healthcare providers will have gone out of business depriving entire communities of tertiary healthcare, while patient morbidity and mortality figures will have spiked as a result of denial of needed medical procedures, or life extending prescription medications. This may have appeared to be a simple ransomware attack, but the national security implications are significant.

You can bet that the Russians and Chinese watched what happened with the Change failure and took extensive notes.

Above all there is a very concerning danger that a similar or even bigger more impactful cyber attack could be executed against US healthcare through UHG or another dominant third party vendor that controls much of the US healthcare industry. As consolidation and vertical integration of US healthcare continues unabated, the emergence of single points of critical failure is inevitable and nothing is 'too big to fail'. Especially in times of 'hybrid' or 'grey warfare' between nation states.

CHIMSS

This was the subject of a cybersecurity panel discussion this week at the Colorado HIMSS CxO Advocacy Breakfast Summit, where over 200 local Colorado healthcare leaders gathered with Hal Wolf, President and CEO of HIMSS to discuss the state of the healthcare industry in Colorado.

With ransom attacks soaring in both the number of hospitals being hit and the extortion amount demanded, ransomware has become and existential threat to the survival of many healthcare delivery providers. According to the FBI, the healthcare industry is the top recipient of ransomware attacks because of its fragility, the need to restore patient services quickly, and its intolerance for downtime.

The Change cyberattack raised many concerns about the security of third-party vendors and single points of critical failure in a highly complex and intertwined healthcare ecosystem.

Huge single points of failure like Optum Health which owns Change Healthcare under UnitedHealth Group, dramatically increases risk impact when that organization is attacked. This is especially concerning where “providers cannot quickly pivot to other healthcare clearing houses and service providers”, claimed Howard Haile, CTO at Intermountain Health. “Very few were able to do this, and very few are setup to make such a switch quickly” he exclaimed.

“It taught us that third-party assessments for risk aren’t very effective,” Haile added. “This wasn’t just a vendor going down. You suddenly can’t bill or receive payment; your entire revenue cycle grinds to a halt. It’s not the same as losing access to a few patient records, it’s an existential threat to your operations.”

Another concern raised by Rick Bohm, CISO at Point Solutions Group is that the industry doesn’t properly assess risks of third-party vendors. “We are not testing third party systems to find vulnerabilities until it’s too late. I can guarantee that I can find similar vulnerabilities in the vast majority of vendor systems that healthcare relies upon every day” he claimed.

With literally thousands of third party vendors, suppliers and outsourced services providers its impossible for a Regulated Entity (RE) to audit each of its third parties or to collect and validate SOC2 attestations of security compliance.

“Furthermore, we don’t know what connects to our medical networks” added Richard Staynings, Chief Security Strategist with Cylera. “75% of connected assets – network endpoints – are not managed by IT and at most providers, security teams currently have very limited visibility into these IoT systems. Many don't even have an accurate count of what connects to their networks.

“Many of the medical devices on our networks are 20+ years old, written in EPROM, a programming language from the 1980s – and they are the secure ones! The newer devices run on Windows Embedded, in many cases using the same generation of code as Windows 95 or Windows XP and we all know how secure each of those are today. No one in this room would conduct their Internet banking on a Windows 95 or XP machine, yet we keep patients alive using similar era technology,” Staynings concluded.

Yet, identifying assets, and assessing risks of IoT can be very time consuming and resource intensive. This is where AI comes into its element by automating the entire process because hospital CISOs can’t hire and retain enough staff to do this by any other means.

“Used correctly, AI can be very powerful and very time saving. At Cylera we use Machine Learning (ML) to run passive protocol analysis engines that tell us what systems are communicating over the medical network and from that, can easily identify and risk assess devices unmanaged by IT,” Staynings stated. “That helps healthcare providers build ‘Zero Trust’ across their networks through segmentation and isolation of at-risk devices and other medical systems."

There are certainly many good uses of AI across healthcare to help drive improvements in accuracy and efficiency, as other panels at the CHIMSS event discussed. The concern is when AI algorithmic / training data is poisoned by mis-labeled or deliberately inaccurate data. “We need to be on the lookout for adversarial machine learning and data poisoning,” agreed both Staynings and Bohm.

The recent supply chain attack against GitHub Action and other third parties is a growing concern and in healthcare we use hundreds, if not thousands of third-party vendors, suppliers, and outsourcers. Knowing that your vendors and their systems are secure and meet or exceed your security standards is now absolutely critical for an industry like healthcare.

Read More

North Korea pulls off largest-ever theft in digital asset history

The 21 February heist of Bybit, a Dubai-based cryptocurrency exchange removed a staggering $1.46 billion in cryptoassets according to initial reports. In fact, this incident is likely the biggest known financial theft of all time. Bybit is the world’s second-largest cryptocurrency exchange by trading volume, with over 50 million registered users worldwide as per a September 2024 report.

Bybit disclosed that over 400,000 Ethereum and staked Ethereum coins were stolen during the heist. These were initially stored in a "Multisig Cold Wallet," however the funds were somehow transferred to a hot wallet and then siphoned into wallets controlled by the attackers.

"The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing interface, displaying the correct address while altering the underlying smart contract logic," Bybit explained.

Investigation

According to crypto fraud investigator ZachXBT, the exploiter has already split 10,000 ETH out of the roughly 401,346 ETH stolen in the attack to 48 addresses.

An independent investigation has revealed connections to the infamous Lazarus group. A day after the attack was disclosed by ByBit, Blockchain investigator ZachXBT shared findings connecting the hack to the DPRK-backed hacking group. ZachXBT submitted a detailed analysis of test transactions and connected wallets used just before the exploit, along with multiple graphs and timing analysis, which were added in its X post.

DPRK Crime State

The United States, South Korea, and Japan said in January that North Korean state-backed hacking groups stole over $659 million worth of cryptocurrency last year. Indeed, crypto and other financial theft is the primary avenue through which the heavily sanctioned Hermit Kingdom is able to obtain hard currencies for trade in illicit goods for its nuclear weapons and rocket programs. 

However, one month earlier, blockchain analysis company Chainalysis painted a more dire picture, saying North Korean hackers stole $1.34 billion in cryptocurrency in 47 cyberattacks throughout 2024, breaking their previous record of $1.1 billion from 2022.

Read More

2025 Proposed HIPAA Security Rule Changes

Much Needed Update to HIPAA coming in 2025.

A long overdue update the HIPAA Security Rule, last updated in 2013, is currently being drafted. Many things have changed in digital healthcare since the rules’ last update and today, the healthcare industry is near wholly reliant upon technology for the delivery of services to patients. This includes a rapid expansion of medical devices and other IoT systems, the widespread use of AI and in particular Machine Learning (ML) to mine vast data lakes of medical information now being generated by the industry. The updated rules also take account of widespread use of cloud and virtual technologies and includes provision for even newer technologies including virtual reality, and quantum computing.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996, at a time when few hospitals or health insurance groups had made the transition to digital records and most users considered a 28.8kbps internet connection to be fast. WiFi, mobile devices, and 5G cellular were still distant dreams as was the meaningful exchange of information in digital format between all those involved in treating patients. The HIPAA Security Rule in particular, was considered out of date the moment it was published, although the act’s Privacy Rule has faired better. In 2009 the HITECH act updated the security requirements of HIPAA Covered Entities (CEs) and Business Associates (BAs) to take account of changes in technology and some major ambiguities in the language of the original rule. A further Omnibus update took place in 2013 for similar reasons.

What is Happening?

On December 27th, HHS OCR announced a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). The rule “seeks to strengthen cybersecurity by updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the health care sector.

What is Changing?

The NPRM proposes to strengthen the Security Rule’s standards and implementation specifications with new proposals and clarifications, including:

• Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
  
  
• Require written documentation of all Security Rule policies, procedures, plans, and analyses.
  
  
• Update definitions and revise implementation specifications to reflect changes in technology and terminology.
  
  
• Add specific compliance time periods for many existing requirements.
  
  
• Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  
  
• Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things: A review of the technology asset inventory and network map.
  
  
• Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
  
  
• Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems.
  
  
• An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
  
  
• Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
  
  
• Strengthen requirements for planning for contingencies and responding to security incidents. Specifically, regulated entities would be required to, for example: Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
  
  
• Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
  
  
• Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
  
  
• Implement written procedures for testing and revising written security incident response plans.
  
  
• Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
  
  
• Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
  
  
• Require encryption of ePHI at rest and in transit, with limited exceptions.
  
  
• Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include: Deploying anti-malware protection.
  
  
• Removing extraneous software from relevant electronic information systems.
  
  
• Disabling network ports in accordance with the regulated entity’s risk analysis.
  
  
• Require the use of multi-factor authentication, with limited exceptions.
  
  
• Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
  
  
• Require network segmentation.
  
  
• Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
  
  
• Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.
  
  
• Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.
  
  
• Require group health plans to include in their plan documents requirements for their group health plan sponsors to: comply with the administrative, physical, and technical safeguards of the Security Rule; ensure that any agent to whom they provide ePHI agrees to implement the administrative, physical, and technical safeguards of the Security Rule; and notify their group health plans upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

HHS OCR has requested feedback on the proposed rule changes be received from REs by March 7, 2025, after which the new rule will be drafted, and a final rule enacted approximately 6 months after that.

Most of these proposed requirements are already being followed by larger and better funded HIPAA CEs, though not all BAs it seems. The proposed rules spell out in a more granular format, each of the ‘required’ and ‘addressable’ rules that CEs and BAs should already be following. What was considered ‘addressable’ is now however, a ‘requirement’ under the proposed rule changes.

Of Specific Interest:

• Language of the proposed rule change removes the distinction between ‘Covered Entity’ (CE) and ‘Business Associate’ (BA) and instead employs the term ‘Regulated Entity’ (RE).
  
  
• Removal of distinction between ‘required’ and ‘addressable’. All are now requirements and must be implemented. Time limits are added to meet requirements and to become compliant.
  
  
• Changes various terms in the HIPAA Security Rule such as ‘electronic media’ to take account of the wider use of VOIP technologies, telehealth, digital messaging, cloud, and AI.
  
  
• A complete asset inventory of all network-connected assets is now required along with a network map that illustrates the movement of ePHI throughout the RE network. This needs to be updated at least every 12 months or when new assets are joined to the network.
  
  
• Each RE needs to know where all of its PHI resides on its network and in which systems, whether owned and operated by the RE or some other entity.
  
  
• Makes it a requirement for network segmentation between operational and IT networks.
  
  
• Requires improved regular testing and security risk analysis that includes:
• technology asset inventory and network map.
• improved identification of threats, vulnerabilities, and risks to the CIA of PHI
  
  
• Requires improved audit of access to PHI by users.
  
  
• Requires improved business continuity, contingency planning, and security incident response capabilities.
  
  
• Requires the use of multi-factor authentication.
  
  
• Sets minimum 24-hour notification time. This applies for BAs to notify CEs, and for subcontractors to notify BAs.

What is Impacted?

If a Regulated Entity (RE) is fully compliant with the HIPAA Security Rule (as updated by HITECH and Omnibus) then very little changes. However, this is unlikely. The updated Security Rule proposal itself states that while conducting an audit of regulated entities against the current Security Rule, OCR found that “94 percent failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

This means that most REs have some work to do in order to catch up with existing Security Rule requirements, let alone the additional effort that will be required to come up to speed with the updated requirements. It also means that more effective risk assessment and analysis is required moving forward.

The intent of this proposed rule change is to remove inconsistent application of the Security Rule across REs. In so doing, it removes the option for ‘reasonableness and appropriateness’ in connection with the costs of security controls, along with often misinterpreted ‘addressable’ implementation specifications to mean they are ‘optional’. These are now ‘required’ and are mandatory.

Furthermore, the rule changes introduce the need to evaluate the ‘effectiveness’ of security controls in supporting the resiliency of the regulated entity. ‘Resiliency’ refers to the entity’s ability to withstand and recover from adverse events. In this regard the changes appear to recognize the vulnerability of REs to denial of service (DOS) and ransomware attacks, and the need to protect against these ‘availability’ attacks through increased resiliency.

This implies the need for much improved business continuity, disaster recovery, and security incident response capabilities so that REs can be back up and running quickly following an incident or attack. It also implies the need for more resiliency in technology architectures using n+2 architectures where a second or third copy of an application can be used in times of need and switched into production quickly. The protracted healthcare downtimes that have impacted the industry recently have been largely caused by single points of failure, an encrypted EMR or other core system with no hot or warm standby, or the ransoming of a critical third party like Change Healthcare as examples.

In Conclusion.

This long-awaited update to healthcare industry security requirements will help to address the chronic imbalance between a growing number of attackers and a largely weak and ill prepared cyber defense across payers and providers. It is intended to lead to massive improvements in security risk assessment and analysis, and the speedy remediation of identified security vulnerabilities. As such, the new rules should reduce the number of successful cyber-attacks, and thus will help to ensure that hospitals and other delivery partners are available in times of medical need by patients and the communities that they serve. Furthermore, these changes will help to reduce growing patient safety concerns, including increased morbidity and mortality when hospitals are under attack.

The need to identify and keep track of connected assets, to know where data resides and moves across medical networks, and to segment operational and IT networks under the proposed rules will be a real deal changer for security. This is well known as the weakest link and is often referred to as the ‘open back door to healthcare security.’ Medical networks and IT / IoT have changed greatly over recent years, as has our reliance upon technologies to diagnose, monitor, treat, and manage patients in our largely digital healthcare system. It's therefore vital that our security controls keep pace with these and other changes.

Read More

2025 Healthcare Cybersecurity Predictions

Twenty Twenty-Five

As someone who has been evangelizing the need for improved healthcare cybersecurity for decades, every year I am hopeful that the new year will be better for healthcare security - that there will be fewer breaches, less supply chain attacks, fewer denial-of-service attempts, and less ransomware attacks. However, statistics don’t lie, nor do trends, so it’s unlikely that I will get my wish in 2025.

The Global Cybersecurity Landscape

Each year, more and more healthcare payers, providers, and life sciences organizations are hit with devastating and costly cyber-attacks. Increasingly these cyber-attacks can impact entire communities. We saw this in West Texas in September and October of 2024 when both UMC and Texas Tech University Health Sciences Center were hit with separate ransomware attacks. This essentially denied Level 1 trauma care to multiple communities impacting an area greater than 250 miles in diameter. It’s likely that we could see more of these high impact overlapping attacks in 2025, for various reasons, as I shall explain shortly.

Healthcare is in the cross hairs and is both an easy and soft target for a growing number of opportunistic perpetrators. It has a large and sprawling supply chain, which when attacked can have sweeping implications for industry players themselves. On top of that, as a critical national infrastructure industry, and in times of geopolitical conflict and cyber warfare, the industry is also a strategic political target. It is being hit from all sides - from organized crime syndicates to state actors, with a rising body of evidence to suggest collaboration and coordination between the two groups.

As a critical national infrastructure industry, healthcare will I believe, be the recipient of increasing levels of government direct and indirect cyber assistance in 2025. Expecting small, independent, or even state-run healthcare providers to defend themselves against the might of the highly organized Russian Mafia crime syndicate or the offensive instruments of a pariah state’s military and intelligence organizations, makes absolutely no sense. Thus, government will need to step in. We are seeing this already in the UK, EU, and Australia with much higher levels of direct involvement and intelligence sharing by government agencies. The US is expected to follow suit in 2025. However, very few governments are ready and prepared to directly protect their healthcare systems at present.

2025 will likely see even more ransomware attacks against healthcare providers. This will no doubt continue until such times that ransom payments and other forms of cyber extortion demand are finally and fully made illegal. Ransomware is a very lucrative industry, whose growth is being fueled by larger and larger payments from victims. Lack of resiliency across the healthcare industry combined with the critical need for operational availability, makes healthcare a prime target for such attacks. As such, expect many more.

Supply chain attacks against the thousands of third-party vendors, suppliers, and services providers will continue to be the open back door to a secure healthcare industry. Software supply chain attacks and strikes against critical single points of failure across the array of healthcare infrastructure will likely continue for as long as the war with Russia does. This means that payers, providers, and life sciences organizations need to develop much stronger risk management processes around their multitude of third-party vendors. This should include full inventory and risk analysis of all organizations who have direct or indirect access to medical networks including third party applications and devices. Cyber-attacks against Synnovis, Change Healthcare, Microsoft, SolarWinds, and others have wreaked havoc across hundreds of organizations with the attack of a single third-party. The return on investment for perpetrators is therefore huge. Expect many more in 2025.

2025 will also see the rise of nation-state attacks. The recent Salt Typhoon attack against critical infrastructure telecommunications providers by the Peoples Republic of China, and a dozen other Chinese Typhoon attacks, are an indication of growing geopolitical tensions as China, Russia, Iran, and the DPRK face off against the western world in what is being termed the ‘Axis of Resistance’. With Russia and Iran already engaged in hybrid and proxy wars, cyber is being viewed increasingly as a convenient weapon of choice that inflicts damage and retribution without crossing a line that will result in a kinetic response from the attacked nation. All critical national infrastructure industries could be the target for increased attention by Axis powers and will need to prepare accordingly. Nation-state cyber-attacks will be 2025’s biggest single threat.

Regulatory Changes

2025 will likely see major changes to US healthcare regulation with the passage (sometime during the year) of the Health Infrastructure Security and Accountability Act (HISAA). This is the long-awaited update or replacement of the ailing and out-of-date 1996 HIPAA security rule which has governed the US healthcare industry for over two decades now. HISAA aims to transform healthcare cybersecurity by setting minimum standards and throwing much-needed financial support to healthcare providers. HISSA is still in the drafting stage at present, but will likely impose stricter cybersecurity standards, require audits, and stress tests, implement serious consequences for non-compliance while providing financial support to healthcare organizations that need help to enhance and improve their cybersecurity capabilities.

HISSA will no doubt help to move the cybersecurity needle, just as NIS2 in Europe and CAF in the UK are already beginning to do. But ‘compliant’ does not mean ‘secure’ and most regulations are out of date the day they are enacted. Its therefore important for healthcare entities to adopt a risk-based approach to security rather than a compliance-based one in its place. That means understanding what, and who, connect to hospital networks, assessing people, processes, and technologies, and conducting a full risk analysis to identify, track and remediate security vulnerabilities on an ongoing basis. This will become ever more important as new innovative technology is added to medical networks.

New Technology

The healthcare industry creates more data than any other industry. To say that there are now healthcare data lakes would be an understatement. Each patient that is seen, diagnosed, and treated, creates vast amounts of useful medical data. This data can then be mined by healthcare data scientists and used to train artificial intelligence (AI) algorithms for machine-learning-based applications used for clinical decision support, and many other areas of medicine.

2025 will see these data lakes become even larger and combined with improvements in AI training to enhance the tools available to clinicians. But just like all data repositories, this highly valuable data needs to encrypted and protected. The RSNA Conference in November highlighted once again, the need for better encryption while revealing new advancements to radiological and medical imaging, thanks in part, to improvements in AI. This is leading to earlier diagnosis and opportunity to medically intervene in patient care, thus driving outcomes while reducing cost. 2025 will see a continuous growth in the capabilities of medical AI, including advances in precision medicine which one day, will totally change the entire paradigm of medical care and treatment of patients.

But often AI is a new technology that introduces new risks. Its data, its algorithms, and its applications all need to be secured from new types of cyberattack, including data poisoning and adversarial machine learning. AI is also being used to weaponize existing malware strains and employed to attack victims by making that malware stealthy, almost impossible to detect, and deadly when its payloads are deployed on unsuspecting networks. 2025 will likely see the continued development of offensive AI attack tools by hackers. At the same time security software companies will be engaged in an arms race to quickly develop defensive AI capabilities in their NDR, XDR and other security applications. Cylera, as an example, and as a next generation IoT security platform, has invested heavily in AI since the company’s founding. It continues to build and deploy new and enhanced AI capabilities that help to automate the orchestration of improved cybersecurity for customers. We will see a lot more AI in 2025 along with better automated security tools and platforms with much faster-than-human response times and the need for less intervention.

Cybersecurity Resource Shortage

 

The shortage of security professions reached 4.8 million in 2024, a growth of 19% over 2023. There simply aren’t enough soldiers to defend the fort against a rising number of attacks. In fact, according to the World Economic Forum, the global talent shortage, could reach 85 million workers by 2030. While universities and training academies have stepped up their education offerings in cybersecurity, it will take many years before this shortage is addressed – if ever, given rising needs.

Burn-out and retention of cybersecurity professionals is a growing problem as the job of defending an organization, sometimes against truly overwhelming odds, becomes even tougher. The ‘Buck’ really does stop at the CISOs desk, yet CISOs remain relatively unempowered to make decisions around enterprise security risk. Many security leaders still lack direct access to the board to properly relay cyber-risk, despite years of industry groups telling CEOs they need to do so. That is slowly changing, and 2025 will likely see an evolution in the partnership between CISOs and their boards.

While job satisfaction and not feeling ignored remain critical for retention, so too does work-life balance for security teams and their leaders. ‘Return to the Office’ for many, has done little to off-set the practice of working around the clock, something that started during the COVID pandemic, covering for sick collogues and dealing with a huge uptick in security needs. It’s important that security teams and their leaders feel needed and respected yet empowered by senior management not to feel the need to work every weekend. Achieving better work-life balance will be a major objective for many security leaders in 2025.

In Conclusion

2025 will be an evolution of what we saw in 2024 rather than any sort of revolutionary change in January. Domestic and international politics may have a significant role to play in both attack and defense, as both sides re-arrange their players and adjust their cyber strategies. The healthcare security threat surface will continue to expand as more and more devices and applications connect to medical networks and interoperability between healthcare systems continues to advance. Diligence will be critical, as will visibility and understanding of risk. Automation of security tools will become ever more important, as the shortage of people to watch screens becomes critical, and various forms of AI will likely play an increasing role in both healthcare applications and security.

This blog was first posted at the following location.

Read More