Final yr, the Change Healthcare mega-breach despatched shockwaves by the business as a result of it was the most important knowledge breach in U.S. historical past. There’ll undoubtedly be surprises like that in 2025 as nicely, so it’s necessary for healthcare organizations to evaluate the likeliest threats as a way to chart a profitable path ahead.
Listed below are 10 cybersecurity threats and developments that advantage particular consideration in 2025:
1. AI-driven threats – We’ve seen an increase in AI-generated threats, with superior menace actors leveraging AI for extra subtle assaults. AI is even embedded in malware and ransomware, permitting these threats to evolve dynamically. We’re additionally seeing AI voice cloning utilized in fraud campaigns focusing on assist desks and even medical doctors. It’s clear this development is accelerating, and we anticipate AI-driven assaults will enhance in 2025.
2. Extra stringent cybersecurity rules –Each HHS and the Workplace for Civil Rights (OCR) have ramped up regulatory efforts, and we’ve seen important legislative exercise. The massive query is how these initiatives will play out with the brand new administration, however we don’t count on main delays. Healthcare stays a main goal for cyber-criminals, and stronger regulatory measures are inevitable. Proposed modifications to HIPAA and safety guidelines are already in progress, so we’ll seemingly see much more motion in 2025.
There’s additionally a variety of motion on the state stage. Balancing federal and state rules shall be a serious problem this yr. Traditionally, when states like New York, Massachusetts, and New Hampshire transfer, others comply with shortly. We’re additionally seeing exercise in Texas, Minnesota, and Massachusetts, so count on a wave of state-level regulatory shifts in 2025.
3. Telemedicine’s impression on cybersecurity – Whereas distant care circumstances have declined post-COVID, new tendencies – just like the rise of telehealth prescriptions – are shifting the panorama.
The explosion of telehealth for prescriptions, notably for drugs like Ozempic, has opened new assault surfaces. We’re additionally seeing extra AI-driven interactions and generative fashions being built-in into distant care. Smaller entities are increasing telehealth entry, broadening the assault floor considerably. Menace actors will comply with, focusing on these new entry factors.
4. Interoperability of information change – Many consider healthcare IT by way of EHRs, however hospitals run tons of – if not hundreds – of purposes on prime of these programs. That creates huge knowledge sprawl and assault alternatives, particularly as organizations add extra related units.
As we combine extra bedside screens, wearables, and home-based units, safety perimeters will shift. Many of those units join by way of unsecured residence networks, introducing extra dangers. Your complete safety mannequin must evolve.
5. Third-party incidents focusing on provide chains –We noticed a forty five% enhance in breaches reported to OCR that concerned a 3rd celebration in 2024. The Change Healthcare breach was a wake-up name. Many organizations didn’t even understand Change Healthcare was embedded of their companies. That stage of dependency on third events makes this an ongoing challenge.
6. Elevated outsourcing of healthcare cybersecurity – Monetary and expertise shortages in healthcare are driving this development. When hospitals are financially constrained, it’s arduous to draw top-tier cybersecurity expertise. We’re seeing extra discussions about outsourcing key cybersecurity features, and we count on that to speed up in 2025. It’s not about outsourcing every part. Many organizations are adopting hybrid fashions the place they maintain strategic management however leverage companions for specialised companies.
Traditionally, healthcare outsourcing has concerned giant, multi-service agreements, however we’re seeing a shift towards extra focused, expertise-driven outsourcing. CIOs and CTOs are specializing in best-of-breed companions moderately than one-size-fits-all options.
7. Adoption of Zero-Belief Architectures – One other main focus for 2025 is Zero Belief Structure (ZTA). Zero Belief is the best, however attaining full implementation in 2025 is unlikely. As an alternative, we foresee organizations specializing in foundational components like community segmentation, multi-factor authentication, and enhanced id administration. These are mandatory steps towards a Zero Belief framework, even when full adoption is years away.
8. Challenges forward for prioritized safety of Web of Medical Issues (IoMT) – One other massive challenge in 2025 is securing the Web of Medical Issues (IoMT). Regulatory efforts are beginning to push gadget producers towards better accountability, however legacy units stay a problem. How can we safe them whereas sustaining affected person care?
Medical gadget producers are being held to greater safety requirements, however hospitals nonetheless depend on legacy tools. Changing it isn’t at all times possible, so we’d like methods like community segmentation and compensating controls to safe these older units. We count on 2025 to deliver a stronger deal with holding producers accountable whereas additionally addressing real-world hospital constraints.
9. Enhance in cybersecurity insurance coverage premiums – Cybersecurity premiums will rise for a lot of organizations as a result of the monetary impression of breaches is rising. Whereas general breach numbers dipped barely in 2024, the size and severity of assaults elevated. Insurers have gotten extra rigorous, adjusting threat profiles primarily based on assault tendencies. Organizations that proactively handle cybersecurity may even see some premium aid, however for many, rising dangers will result in greater prices.
10. Phishing threats nonetheless on the rise – Whereas community servers remained the most typical breach location, phishing stays a go-to tactic for menace actors, with electronic mail breaches rising by 18% final yr.
About Russell Teague
Russell Teague is Chief Info Safety Officer at Fortified Health Security in Brentwood, Tennessee, the MSSP companion of selection for healthcare programs within the U.S. and throughout the globe. Teague was a contributor to the White Home Nationwide Cybersecurity Healthcare Technique.
