Increasing cyberattacks are challenging the ability of healthcare organizations to maintain their daily operations and provide timely and effective patient care. The disruption caused by such attacks has led the Federal Bureau of Investigation(FBI) and the Department of Justice to classify them as “threats to life” crimes, posing serious risks to patient and public safety.
To combat these threats, healthcare organizations must implement strategies that consolidate data protection and improve cyber resilience. Such approaches enhance security while reducing costs, allowing funds to be reinvested in innovation and new technologies.
“Healthcare organizations are under constant cost reduction pressure, which extends to security teams,” says Microsoft’s Director of Global Healthcare Security and Compliance Strategy David Houlding CISSP, CIPP.
“Security teams are often understaffed, with skilled resources hard to find, costly, and difficult to retain,” Houlding continues. “Improving the speed, scale, accuracy, and upskilling of these teams is crucial, regardless of security operations center size.”
Reducing risk, meeting regulatory requirements, and preparing for cyber-attacks not only protect data and ensure quality and continuity of patient care, but they also drive cost savings and simplify management.
Challenges Facing Healthcare Data Security
Healthcare providers are grappling with both internal and external challenges to maintain secure operations.
Verizon’s 2023 Data Breach Investigations Report highlights an alarming rise in external threats to healthcare, with ransomware being particularly disruptive. External attackers were responsible for 66% of data breaches, primarily targeting personal and medical information.
According to the Office of the Director of National Intelligence, ransomware claims increased by 74% globally in 2023, with attacks against the U.S. healthcare sector rising by 128%. This surge affected 258 victims in 2023 compared to 113 in 2022.
External threats are on the rise just as the healthcare system struggles to maintain a skilled security workforce. The 2023 HIMSS Cybersecurity Survey reveals that 43% of healthcare organizations lack the budget to hire professionals, with many reporting shortages in both healthcare and cybersecurity experience. Furthermore, 37% of organizations struggle to find qualified candidates and 21% note that there are insufficient skills in the talent pool.
“Providing guidance and on-the-job learning opportunities enhances their skills and effectiveness in managing security challenges,” notes Houlding.
Beyond staffing shortages, many healthcare organizations are using outdated systems. A 2023 Department of Health & Human Services report on hospital cyber resiliency found inconsistent adoption of critical security measures and widespread use of outdated systems. Notably, 96% of hospitals still rely on end-of-life systems with known vulnerabilities.
Failure to update these systems not only risks patient safety but can also result in significant financial costs to healthcare organizations. Healthcare remains the most expensive industry for data breaches, with average breach costs reaching $9.77 million in 2024, according to IBM’s Cost of a Data Breach Report. It’s the sector’s reliance on outdated technologies that makes it an attractive target, as healthcare providers are intolerant to operational disruptions.
Service disruptions and system outages have immediate and lasting effects, compromising the quality and safety of patient care, eroding patient trust, jeopardizing outcomes, and threatening healthcare sustainability. Investing in cybersecurity and resilience is crucial to prevent these risks.
A Secure and Cost-Effective Path Forward
In healthcare, compliance with regulatory standards and effective risk mitigation are essential to protect sensitive patient data.
“HIPAA sets important standards for patient data protection but is widely seen as insufficient for fully mitigating today’s risks,” says Houlding. “In cyber resilience, data availability is as vital as confidentiality and integrity. Attacks like ransomware and denial of service targeting the availability of data and systems can halt operations. Addressing risks such as ransomware, insider threats, and third-party vulnerabilities is crucial for maintaining security.”
Healthcare organizations should regularly assess security gaps using Zero Trust cybersecurity frameworks, focusing on long-term strategies to address threats such as ransomware while optimizing limited resources for data resilience and breach recovery.
Integrated security solutions reduce costs and improve efficiencies, avoiding disjointed systems from overwhelming analysts and increasing the risk of missed threats. AI-driven solutions can help improve the speed, scale, and accuracy of security teams, streamlining operations, upskilling them with timely guidance in teachable moments, and improving threat detection and response.
As health systems, hospitals, and physician groups work to reduce technical debt by modernizing their IT infrastructure and moving to the cloud, resilience and security become even more critical.
“Shifting to cloud environments, including hybrid models, requires end-to-end resilience and compliance,” Houlding explains. “Healthcare organizations are migrating systems like EHRs to the cloud to reduce technical debt, improve agility and scale, and focus more on developing higher-level healthcare applications. Since migrations can take months or years, it’s crucial to maintain resilience for seamless data access and ensure compliance to protect systems and data during the transition.”
As cyber threats evolve, healthcare organizations must adopt a proactive, integrated approach to security and resilience. Prioritizing long-term strategies and leveraging advanced tools safeguards patient data, builds trust, and ensures smooth operations. Investing in robust, integrated, AI-powered cybersecurity now mitigates immediate risks and strengthens future resilience.
“Microsoft’s healthcare investment is strengthened by Commvault’s deep industry expertise,” says Karen Cox, Microsoft’s Global Healthcare Partner Strategy Leader. “Commvault’s expertise in healthcare workloads complements Microsoft’s security, making them a key partner in delivering comprehensive solutions.”
Commvault’s any-to-any portability enhances healthcare organizations’ cyber resilience, enabling rapid, infection-free recovery and safeguarding patient data. Additionally, Commvault Cloud Cleanroom Recovery, validated by TechTarget’s Enterprise Strategy Group, ensures recovery into a clean environment, protecting against ransomware and securing critical data.