How to Manage Healthcare Cybersecurity Risks and Incidents

The healthcare industry, a cornerstone of society, has become a prime target for cyberattacks. From ransomware incidents to insider threats, healthcare delivery organizations (HDOs) face unprecedented cybersecurity challenges. In a recent discussion, Lynn Sessions, a leading expert in healthcare privacy and cybersecurity compliance, shared her invaluable insights on managing these complex risks. This article distills key lessons from that conversation, providing healthcare professionals, cybersecurity leaders, and compliance officers with actionable strategies to navigate the volatile landscape of healthcare cybersecurity.

Understanding the Current Threat Landscape in Healthcare

The healthcare sector is under relentless attack. Cybercriminals, often operating from sophisticated networks in Eastern Europe and beyond, see healthcare organizations as high-value targets due to the wealth of sensitive data they hold and the critical nature of their operations. Over the past 15 years, the frequency and complexity of ransomware attacks, vendor breaches, and insider threats have escalated dramatically.

According to Lynn Sessions, the rise in double extortion ransomware attacks is particularly alarming. In these incidents, threat actors not only encrypt healthcare systems but also exfiltrate patient data, leveraging its exposure as additional pressure to extract ransom payments. The financial transparency of nonprofit healthcare providers, often detailed in public records, further enables attackers to tailor their demands.

Key Risks in Focus

1. Ransomware and Extortion: Cybercriminals encrypt systems and exfiltrate data, creating dual leverage for ransom payments.
2. Vendor Breaches: Third-party vendors with access to sensitive data are increasingly targeted, with some breaches affecting millions of patients.
3. Revenue Cycle Vulnerabilities: Threat actors exploit weak points in billing systems, sometimes diverting payments worth millions.
4. Insider Threats: Employees with legitimate access to systems and data sometimes exceed their authorized roles, either intentionally or unintentionally, causing significant harm.

Approaching Ransomware Incidents: To Pay or Not to Pay?

A critical decision healthcare leaders face during ransomware incidents is whether to pay the ransom. Sessions emphasizes that this decision is highly context-specific and requires a nuanced calculus involving operational impacts, data compromise, and regulatory obligations.

Considerations for Decision-Making:

• Operational Impact: Can the organization recover without paying? If systems need to be rebuilt from scratch, recovery timelines and patient care may be severely affected.
• Data Sensitivity: If patient health information (PHI) or personally identifiable information (PII) has been stolen, paying the ransom does not absolve regulatory notification requirements.
• Regulatory and Legal Constraints: Organizations must confirm that paying a ransom does not violate sanctions or other legal requirements, such as those outlined by the Office of Foreign Assets Control (OFAC).
• Reputational Risks: Transparent communication with stakeholders, including patients and the media, can mitigate reputational damage even in the wake of a breach.

Sessions advises healthcare leaders to balance ethical considerations with practical realities, emphasizing that the final decision must align with the organization’s recovery capabilities and long-term interests.

Prevention Strategies: Building Resilience Against Cyber Threats

While incident response is critical, prevention remains the most effective strategy for mitigating cybersecurity risks in healthcare. Sessions highlights several foundational steps that healthcare organizations should take to bolster their defenses.

1. Conduct Comprehensive Risk Assessments

Healthcare organizations need to continuously evaluate their vulnerabilities by performing security risk analyses. This process involves identifying where PHI is stored, transmitted, or accessed and implementing appropriate safeguards.

2. Strengthen Vendor Management

Vendors often represent a significant weak link in healthcare cybersecurity. Organizations should:

• Require comprehensive security questionnaires for vendors.
• Enforce contractual obligations for cybersecurity measures, such as multi-factor authentication.
• Periodically review vendor compliance and consider auditing high-risk vendors.

3. Reduce Data Footprint

Data minimization is crucial. Many healthcare organizations retain decades-old data in disparate systems, which creates unnecessary vulnerabilities. Implementing effective data retention and destruction policies can reduce exposure.

4. Invest in Employee Training

Human error remains a leading cause of breaches. Regular training helps employees identify phishing schemes and other social engineering tactics. Simulated phishing exercises, coupled with real-time feedback, can reinforce awareness and improve response rates.

5. Deploy Advanced Security Tools

Modern tools such as endpoint monitoring, intrusion detection systems, and anomaly detection can help organizations identify and respond to threats more effectively. Additionally, AI-powered tools are becoming indispensable for detecting sophisticated phishing attempts and other attacks.

Addressing Insider Threats: Balancing Security and Trust

A concerning trend highlighted by Sessions is the rise in insider threats, where employees misuse their access to sensitive information. Addressing this issue requires a careful balance between monitoring employees and respecting their privacy.

Mitigation Measures:

• Policy Enforcement: Clearly communicate to employees that company devices and systems are subject to monitoring.
• Anomalous Behavior Detection: Use security tools to flag unusual login behaviors, such as accessing data from multiple IP addresses within a short time frame.
• Targeted Training: Focus on high-risk groups, such as revenue cycle employees, who are often targeted by threat actors.
• Regular Audits: Periodic reviews of employee activities can uncover unauthorized access or misuse of data.

Lessons from the Change Healthcare Incident

The Change Healthcare breach, which affected an estimated 190 million Americans, serves as a stark reminder of the cascading impacts of a major cybersecurity incident. Unauthorized access through an endpoint lacking multi-factor authentication led to system encryption and data theft, forcing the organization to rebuild its systems from scratch. Despite paying a ransom, the data was briefly exposed online, showing the inherent risks of negotiating with cybercriminals.

Key Takeaways from Change Healthcare:

• Endpoint Security: Ensure all endpoints, including legacy systems, are secured with modern tools like multi-factor authentication.
• Proactive Communication: Transparency with affected parties and regulators can preserve trust during a crisis.
• Comprehensive Planning: Organizations that conduct extensive planning and practice incident response are better equipped to handle breaches.

Final Thoughts: The Need for Diligence and Continuous Improvement

Healthcare organizations operate in a high-stakes environment where patient safety and privacy must be balanced against operational challenges and resource limitations. As Sessions aptly states, "Healthcare is under attack", and there is no room for complacency. Whether through ransomware mitigation, vendor management, or insider threat prevention, healthcare leaders must prioritize cybersecurity as a core component of their organizational strategy.

Key Takeaways

• Double Extortion Ransomware: Cybercriminals encrypt systems and steal data, forcing organizations to weigh ransom payment against operational recovery.
• Vendor Management: Assess and monitor third-party vendors through security questionnaires and regular compliance checks.
• Data Minimization: Implement retention and destruction policies to reduce exposure from legacy data.
• Employee Training: Use simulated phishing exercises to build awareness and identify weak links.
• Incident Response: Prepare for breaches with robust response plans, including communication strategies for stakeholders.
• Advanced Security Tools: Leverage AI-powered tools and anomaly detection to identify threats early.
• Insider Threats: Monitor employee behavior while maintaining trust through transparent policies.
• Learn from the Past: High-profile breaches like Change Healthcare highlight the importance of endpoint security, proactive communication, and thorough planning.

By adopting these strategies, healthcare organizations can enhance their resilience, safeguard patient data, and maintain trust in an increasingly hostile cybersecurity landscape.

Source: "Managing Healthcare Cybersecurity Risks and Incidents - On Tech Ethics" - CITI Program, YouTube, Aug 14, 2025 - https://www.youtube.com/watch?v=jeIeS7yhm_k

Use: Embedded for reference. Brief quotes used for commentary/review.

Related Blog Posts

• Healthcare Vendor Breach Response: Best Practices
• How to Build a Data Breach Incident Response Plan
• Ultimate Guide to Cyber Resilience in Healthcare
• 5 Challenges in Healthcare Cyber Risk Management