AI ransomware attacks, proposed HIPAA changes spark concern for one security pro
The management of cybersecurity of health care is a complex proposal, it is at the very least.
Health system Ciso, CIOs and other information security leaders should simply worry about ensuring robust network security and preventing lost laptops.
Now they have many new challenges to take up, and the landscape of threats – and the regulatory landscape – become more complex day by day.
Sophisticated Ransomware attaches to AI, changes in proposed HIPAA safety rules and the attenuation of the risks of third -party suppliers are in particular the problems concerning a safety expert.
Barry Mathis is Director of Consulting Consultative Consultative at PYA, a health care management consulting company. He has nearly three decades of experience in the information technology and health care industries as CIO, CTO, IT audit and consultant in IT risk management.
IT news for health care Recently talked to him to have his point of view on these concerns and others.
Q. With the rise of AI tools like Fraudgpt and Wormgpt, there is a change where even non -technical criminals can launch very effective ransomware and phishing attacks. How does this democratization of cybercrime change the landscape of threats, in particular for health care organizations, and what can we do to stay ahead of these evolving threats?
A. As a person who has spent decades in the IT leadership of health care, I saw the evolution of first -hand cyberrencies. But the rise of ransomware focused on AI is different from everything we had to face before.
Tools like Fraudgpt and Wormpt shorten onramp for cybercriminals, even allowing those who have a minimum of technical skills to launch successful attacks. In health care, where patient safety and data integrity are essential, this is particularly dangerous.
Nearly 400 health care organizations in the United States were Target by ransomware in 2024 only, attackers exploiting vulnerabilities in IoT devices and obsolete infrastructure. The use of AI for automated vulnerability scanning means that attackers can now identify and use weaknesses faster than ever.
Although I have seen a significant increase in hospitals and health systems investing in cyber-protection, he is still worrying for me in the number of health organizations that are still poorly equipped to manage modern cybersecurity threats. Despite a long -standing conscience of these risks, I continue to meet health systems without infrastructure and internal guarantees to stop data violations.
Alarming, many have no clear protocols to restrict unauthorized access. From my audit and evaluation work, a familiar model appears. Hospitals pour out resources in digital health initiatives such as electronic files and mobile applications while neglecting essential security practices. Basic problems such as erroneous evaluation criteria, obsolete software and inadequate recovery planning persist in industry.
Artificial intelligence should not be considered an advantage of a pirate. It has a powerful potential to strengthen defense. Unfortunately, most health systems have not yet exploited this capacity.
Answering this question, one of my favorite current television advertisements comes to my mind. It has a banking security guard who simply informs customers that the bank is stolen. Although they expect the security guard to do something about the flight, he explains that his work is only to monitor.
Health care organizations must carefully examine their current safety executives and evolve towards more advanced and adaptive protections. This includes the deployment of AI -centered tools to identify and respond to real -time threats, applying virtual correction solutions to protect older systems that cannot be easily updated and by performing regular simulation exercises to test the response.
While the nature of the cybermenaces continues to grow in complexity and speed, defensive strategies must go from the reactive to proactive. The integration of intelligent and anticipated safety measures is no longer optional – it is essential for resilience.
Q. Updates offered HIPAA safety rules aim to strengthen protections for protected electronic health information. Beyond compliance, how do these changes reflect a broader change in the way in which health care organizations should address the management of cybersecurity risks in an increasingly hostile digital environment?
A. The proposed updates of the HIPAA security rule has long been expected and reflect an increasing recognition that the health care sector is attacked. As a former responsible for compliance with IOC and IT, I have always considered HIPAA not only as a regulatory requirement, but as a foundation for the confidence of communities and patients.
These new changes aim to modernize the protections of protected electronic information information, in particular in the light of the growing sophistication of cyber players. But the real question is: will organizations deal with this as a compliance check box or a catalyst for a real change?
The proposed updates emphasize safety practices focused on risks, preparation for incidents and monitoring of third -party relations. These are areas where many health care organizations continue to fight.
Over the past three decades, I have seen countless examples of obsolete risks and policies assessments for models that do not take into account real threats. HIPAA changes seem to encourage an evolution in continuous risk assessment and more flexible and reactive security strategies.
With cyber-menices evolving rapidly, in particular with the rise of AI-centered attack methods, rigid approaches to the compliance in style List of control are no longer sufficient and completely unacceptable according to my personal interaction with health and human services investigators.
No matter how the final rule is structured, the essential message is clear: digital protection must be treated as a basic responsibility in health systems. This requires active involvement of leadership, cooperation between departments and a constant commitment to improve tools and skills. Respecting minimum standards is not enough.
These simple checks will be delayed and will probably become victims of cyber attacks as well as defendants in civil and federal surveys. The successful organizations will be those which consider security as a long -term stability engine and of operational force, not just a task for compliance teams.
Q. Even with solid cybersecurity controls, health care providers are often faced with risks of third -party suppliers. While these suppliers become more anchored in health operations, what strategies should organizations adopt to ensure that their extensive digital ecosystem does not become their lowest link?
A. Third -party suppliers often pose the most important vulnerability in the defense of the digital security of a health care organization. Even a hospital of course can be compromised by surveillance deviations during interaction with external sellers.
According to my experience, head technological operations and the realization of audits, I have constantly encountered cases where guarantees of inadequate suppliers, such as unique systems or unchanged access, create a clear route for unauthorized access.
For example, an entire hospital and more than 600 affected systems were out of service for more than a month, requiring complete reconstruction from zero. The deep cause of this vulnerability was a single uncharted server being used as a support portal for a third -party supplier.
As health systems adopt more digital tools, cloud infrastructure for virtual care and remote monitoring, these exposure points are multiplying and requires more clear monitoring.
One of the persistent questions of health care safety is the absence of a structured approach to manage the risks linked to external sellers.
While some organizations can perform an initial examination before joining a supplier, coherent follow -up is often missing. As digital environments become more complex and connected devices and intelligent systems become commonplace, this lack of surveillance becomes more and more problematic.
From what I have seen, the management of these risks effectively requires more than a punctual check. It requires an end -to -end process: an in -depth assessment before commitment, clear security conditions in contracts, active surveillance throughout the partnership and coordination when incidents occur.
Regardless of regulatory or other external influences, health care organizations must process third -party suppliers as extensions of their own infrastructure. This means integrating them into the safety awareness training, requiring proofs and artifacts of regular independent assessments or certifications, and using automated data rating systems that assess the posture of cybersecurity of organizations.
While sellers become more integral with care, their safety becomes your safety. Organizations that recognize this and act on this subject will be much better placed to protect their patients and their reputation.
Follow Bill’s successful coverage on LinkedIn: Bill Siwicki
Send him an email: [email protected]
Healthcare It News is a publication of the Himss media.
Now look: Epic Emeritus CMIO to become a CMIO – and succeed
