Getty Images/iStockphoto
Top healthcare cybersecurity, privacy predictions for 2025
Healthcare cybersecurity and privacy experts predict a renewed focus on cyber-resilience, advancements in AI and additional privacy legislation going into 2025.
Cyberattacks and data breaches hit healthcare hard in 2024, and the sector is preparing for yet another busy year when it comes to healthcare cybersecurity and privacy activities.
The 10 largest data breaches reported to the HHS Office for Civil Rights (OCR) in 2024 affected 137 million individuals combined, and the total breach tally for the year will surpass 168 million. Nine of the 10 largest breaches were attributed to a hacking or IT incident, exemplifying the continued effects of cyberattacks on the sector.
As we look forward to 2025, healthcare is likely to remain a target for cyberattacks and data breaches. However, experts predict that the sector's response to and preparation for these incidents will shift, whether through day-to-day defense tactics or legislative action.
Healthcare sector will focus more on cyber-resilience, hygiene
Cyber-resilience remains a key focus area for healthcare organizations going into the new year as cyberattacks continue to disrupt operations and supply chains.
"In 2025, resilience in healthcare cybersecurity will continue to evolve from a reactive stance to a proactive spectrum," said Ty Greenhalgh, industry principal of healthcare at Claroty.
Greenhalgh predicted that ransomware will remain the primary cyberattack method in 2025, requiring healthcare organizations to employ defensive strategies to make hackers' jobs more difficult.
"Healthcare organizations need to integrate resilience into their cybersecurity strategies if they want to survive, focusing on anticipating stresses and taking proactive measures before incidents occur," Greenhalgh added. "This shift not only minimizes the impact of potential threats but also ensures faster recovery and continuity of operations, ultimately safeguarding patient care and organizational assets."
In 2023, HHS and the Health Sector Coordinating Council issued a comprehensive landscape analysis that explored the state of cybersecurity resilience in U.S. hospitals. The landscape analysis revealed significant gaps in hospital cyber-resilience, including underuse of multifactor authentication (MFA) and notable supply chain risks.
In February 2024, the Change Healthcare cyberattack disrupted healthcare operations across the country, further underscoring the importance of fundamental security controls and cyber-resilience. The cyberattack was a success because cyberthreat actors used compromised credentials to remotely access a Change Healthcare Citrix portal that was not protected by MFA.
To Mason Clutter, data security partner at Frost Brown Todd and former chief privacy officer at the U.S. Department of Homeland Security, 2025 will be a year of focusing on foundational security measures.
"What's old is new again in 2025. Personal health information is incredibly sensitive, private, and ultimately, valuable information," Clutter said. "The lessons of the past come full circle in 2025: cyber hygiene is key -- both on the provider's end and the patient's."
Continuous monitoring of cyber threats and the implementation of appropriate safeguards and basic cyber hygiene will go a long way in protecting healthcare systems in 2025 and beyond.
AI will continue to present new threats, opportunities
As the role of AI in healthcare evolves, security and privacy protections are crucial. Both cyberthreat actors and defenders have learned to use AI to their benefit and will likely continue to do so in 2025.
"The use of AI by cybercriminals will significantly increase in 2025, creating more sophisticated and targeted attacks against healthcare organizations," said Brian McGinnis, partner at Barnes & Thornburg and co-chair of the firm's data security and privacy practice group. "Increased use of generative AI tools will enable threat actors to craft attacks such as highly personalized phishing campaigns and develop autonomous malware capable of bypassing traditional security measures."
Cyberthreat actors can use AI tools to craft more convincing phishing emails and increase the speed and volume of their attacks.
To mitigate risk, McGinnis recommended that healthcare organizations implement their own AI-powered cybersecurity tools to enable constant cyberthreat monitoring and enhance their employee training programs to help employees recognize AI threats.
"Collaboration and information sharing with regulators and industry peers will also be critical to staying ahead of adversaries who are increasingly leveraging AI for malicious purposes," McGinnis added.
For Shannon Hartsfield, partner at Holland & Knight, AI remains a driver for innovation in healthcare, but privacy risks cannot be ignored.
"Developers of AI tools will have an increasing need for data to train large language models, but regulators have concerns about using personal data in that manner," Hartsfield said. "Also, HIPAA imposes restrictions that could impede such uses."
As health IT professionals grapple with the security and privacy implications of AI, 2025 is sure to bring a new set of challenges and opportunities for innovation.
Privacy, security legislation will expand at state, federal levels
In addition to a focus on cyber-resilience and ongoing advancements in AI, lawmakers are likely to continue proposing additional privacy and security legislation at state and federal levels.
For example, the HIPAA Security Rule is expected to be updated by the end of 2024 or early 2025. HHS submitted a draft to the U.S. Office of Management and Budget in October 2024, which is currently under review.
"The HIPAA Security Rule was finalized over two decades ago, and security capabilities and threats have changed tremendously," Hartsfield said. "The Security Rule is flexible and scalable, but it would be helpful to have more guidance aimed at today's technology."
What's more, experts predicted that the industry would continue to see states adopting their own privacy legislation.
"In 2025, more states are likely to enact laws like Washington's My Health My Data Act, protecting consumer health data that falls outside of HIPAA regulation," said Tara Cho, chair of Womble Bond Dickinson's privacy and cybersecurity team.
Washington State's My Health My Data Act, passed in 2023, gives consumers additional privacy protections by allowing them to withdraw consent and request data deletion.
Washington is not the only state to have taken action.
"Since the California Consumer Privacy Act took effect in 2020, 20 U.S. states have enacted comprehensive privacy laws, and this trend shows no signs of slowing," McGinnis said.
By the end of 2025, eight other states will have new privacy protections in place that provide additional protections for various types of personal data, McGinnis noted. As the patchwork of state and federal privacy laws gets more complex, entities that handle health data will have to understand the interplay between HIPAA and these state laws, if any, and comply accordingly.
Going into 2025, healthcare organizations and other entities that handle health data can expect another year of adapting to the changing cyberthreat landscape, monitoring the security implications of AI and preparing for upcoming security and privacy legislation.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
