Twenty Twenty-Five
As someone who has been evangelizing the need for improved healthcare cybersecurity for decades, every year I am hopeful that the new year will be better for healthcare security - that there will be fewer breaches, less supply chain attacks, fewer denial-of-service attempts, and less ransomware attacks. However, statistics don’t lie, nor do trends, so it’s unlikely that I will get my wish in 2025.The Global Cybersecurity Landscape
Each year, more and more healthcare payers, providers, and life sciences organizations are hit with devastating and costly cyber-attacks. Increasingly these cyber-attacks can impact entire communities. We saw this in West Texas in September and October of 2024 when both UMC and Texas Tech University Health Sciences Center were hit with separate ransomware attacks. This essentially denied Level 1 trauma care to multiple communities impacting an area greater than 250 miles in diameter. It’s likely that we could see more of these high impact overlapping attacks in 2025, for various reasons, as I shall explain shortly.Healthcare is in the cross hairs and is both an easy and soft target for a growing number of opportunistic perpetrators. It has a large and sprawling supply chain, which when attacked can have sweeping implications for industry players themselves. On top of that, as a critical national infrastructure industry, and in times of geopolitical conflict and cyber warfare, the industry is also a strategic political target. It is being hit from all sides - from organized crime syndicates to state actors, with a rising body of evidence to suggest collaboration and coordination between the two groups.
As a critical national infrastructure industry, healthcare will I believe, be the recipient of increasing levels of government direct and indirect cyber assistance in 2025. Expecting small, independent, or even state-run healthcare providers to defend themselves against the might of the highly organized Russian Mafia crime syndicate or the offensive instruments of a pariah state’s military and intelligence organizations, makes absolutely no sense. Thus, government will need to step in. We are seeing this already in the UK, EU, and Australia with much higher levels of direct involvement and intelligence sharing by government agencies. The US is expected to follow suit in 2025. However, very few governments are ready and prepared to directly protect their healthcare systems at present.
2025 will likely see even more ransomware attacks against healthcare providers. This will no doubt continue until such times that ransom payments and other forms of cyber extortion demand are finally and fully made illegal. Ransomware is a very lucrative industry, whose growth is being fueled by larger and larger payments from victims. Lack of resiliency across the healthcare industry combined with the critical need for operational availability, makes healthcare a prime target for such attacks. As such, expect many more.
Supply chain attacks against the thousands of third-party vendors, suppliers, and services providers will continue to be the open back door to a secure healthcare industry. Software supply chain attacks and strikes against critical single points of failure across the array of healthcare infrastructure will likely continue for as long as the war with Russia does. This means that payers, providers, and life sciences organizations need to develop much stronger risk management processes around their multitude of third-party vendors. This should include full inventory and risk analysis of all organizations who have direct or indirect access to medical networks including third party applications and devices. Cyber-attacks against Synnovis, Change Healthcare, Microsoft, SolarWinds, and others have wreaked havoc across hundreds of organizations with the attack of a single third-party. The return on investment for perpetrators is therefore huge. Expect many more in 2025.
2025 will also see the rise of nation-state attacks. The recent Salt Typhoon attack against critical infrastructure telecommunications providers by the Peoples Republic of China, and a dozen other Chinese Typhoon attacks, are an indication of growing geopolitical tensions as China, Russia, Iran, and the DPRK face off against the western world in what is being termed the ‘Axis of Resistance’. With Russia and Iran already engaged in hybrid and proxy wars, cyber is being viewed increasingly as a convenient weapon of choice that inflicts damage and retribution without crossing a line that will result in a kinetic response from the attacked nation. All critical national infrastructure industries could be the target for increased attention by Axis powers and will need to prepare accordingly. Nation-state cyber-attacks will be 2025’s biggest single threat.
Regulatory Changes
2025 will likely see major changes to US healthcare regulation with the passage (sometime during the year) of the Health Infrastructure Security and Accountability Act (HISAA). This is the long-awaited update or replacement of the ailing and out-of-date 1996 HIPAA security rule which has governed the US healthcare industry for over two decades now. HISAA aims to transform healthcare cybersecurity by setting minimum standards and throwing much-needed financial support to healthcare providers. HISSA is still in the drafting stage at present, but will likely impose stricter cybersecurity standards, require audits, and stress tests, implement serious consequences for non-compliance while providing financial support to healthcare organizations that need help to enhance and improve their cybersecurity capabilities.HISSA will no doubt help to move the cybersecurity needle, just as NIS2 in Europe and CAF in the UK are already beginning to do. But ‘compliant’ does not mean ‘secure’ and most regulations are out of date the day they are enacted. Its therefore important for healthcare entities to adopt a risk-based approach to security rather than a compliance-based one in its place. That means understanding what, and who, connect to hospital networks, assessing people, processes, and technologies, and conducting a full risk analysis to identify, track and remediate security vulnerabilities on an ongoing basis. This will become ever more important as new innovative technology is added to medical networks.
New Technology
The healthcare industry creates more data than any other industry. To say that there are now healthcare data lakes would be an understatement. Each patient that is seen, diagnosed, and treated, creates vast amounts of useful medical data. This data can then be mined by healthcare data scientists and used to train artificial intelligence (AI) algorithms for machine-learning-based applications used for clinical decision support, and many other areas of medicine.
2025 will see these data lakes become even larger and combined with improvements in AI training to enhance the tools available to clinicians. But just like all data repositories, this highly valuable data needs to encrypted and protected. The RSNA Conference in November highlighted once again, the need for better encryption while revealing new advancements to radiological and medical imaging, thanks in part, to improvements in AI. This is leading to earlier diagnosis and opportunity to medically intervene in patient care, thus driving outcomes while reducing cost. 2025 will see a continuous growth in the capabilities of medical AI, including advances in precision medicine which one day, will totally change the entire paradigm of medical care and treatment of patients.
But often AI is a new technology that introduces new risks. Its data, its algorithms, and its applications all need to be secured from new types of cyberattack, including data poisoning and adversarial machine learning. AI is also being used to weaponize existing malware strains and employed to attack victims by making that malware stealthy, almost impossible to detect, and deadly when its payloads are deployed on unsuspecting networks. 2025 will likely see the continued development of offensive AI attack tools by hackers. At the same time security software companies will be engaged in an arms race to quickly develop defensive AI capabilities in their NDR, XDR and other security applications. Cylera, as an example, and as a next generation IoT security platform, has invested heavily in AI since the company’s founding. It continues to build and deploy new and enhanced AI capabilities that help to automate the orchestration of improved cybersecurity for customers. We will see a lot more AI in 2025 along with better automated security tools and platforms with much faster-than-human response times and the need for less intervention.
Cybersecurity Resource Shortage
The shortage of security professions reached 4.8 million in 2024, a growth of 19% over 2023. There simply aren’t enough soldiers to defend the fort against a rising number of attacks. In fact, according to the World Economic Forum, the global talent shortage, could reach 85 million workers by 2030. While universities and training academies have stepped up their education offerings in cybersecurity, it will take many years before this shortage is addressed – if ever, given rising needs.
Burn-out and retention of cybersecurity professionals is a growing problem as the job of defending an organization, sometimes against truly overwhelming odds, becomes even tougher. The ‘Buck’ really does stop at the CISOs desk, yet CISOs remain relatively unempowered to make decisions around enterprise security risk. Many security leaders still lack direct access to the board to properly relay cyber-risk, despite years of industry groups telling CEOs they need to do so. That is slowly changing, and 2025 will likely see an evolution in the partnership between CISOs and their boards.
While job satisfaction and not feeling ignored remain critical for retention, so too does work-life balance for security teams and their leaders. ‘Return to the Office’ for many, has done little to off-set the practice of working around the clock, something that started during the COVID pandemic, covering for sick collogues and dealing with a huge uptick in security needs. It’s important that security teams and their leaders feel needed and respected yet empowered by senior management not to feel the need to work every weekend. Achieving better work-life balance will be a major objective for many security leaders in 2025.
