Cybersecurity In Healthcare: Defining Private And Public Sector Responsibilities

Executive Summary

Hackers target hospitals and providers, academic medical centers and researchers, insurers, pharmaceutical and medical device manufacturers, community health organizations, and many other organizations across the healthcare ecosystem. Sophisticated cyberattacks endanger patients, disrupt integrated networks, and inflict steep financial costs. In addition to proactively defending against these pervasive threats, healthcare organizations face a labyrinth of complex, overlapping, and burdensome cybersecurity requirements and breach reporting duties.

The Healthcare Leadership Council (HLC)¹ and the Confidentiality Coalition (the Coalition)² propose a collaborative approach between the private and public sectors to define and share cybersecurity responsibilities, create mutual accountability to protect patient safety, and support the healthcare systems on which our country relies.

The Current Challenge

Healthcare organizations face persistent, and complex cyberattacks – ranging from ransomware and zero-day exploits to email phishing strikes and insider threats. In fact, 92% of healthcare organizations reported that they experienced a cyberattack last year.³

The Threat Landscape

These threats spring from a variety of sources, including sophisticated state-sponsored actors, organized international criminal rings, and malicious "insiders."

• Patient Health. Most significantly, cyberattacks threaten patients by disrupting clinical care, delaying treatments and surgical procedures, and jeopardizing patient safety.
• Systemwide Operations. With technology innovation and adoptions, organizations have become entwined. A cyberattack on one provider can impact payers, affiliated practice groups, and patients, and the downtime can last for months.
• Operational Costs. Finally, cyberattacks have a disproportionate financial impact on healthcare operations with the average cost of a healthcare data breach topping the highest of any sector for the 14th year in a row.⁴

The Regulatory Landscape

The U.S. healthcare industry also faces a maze of federal, industry, and state cybersecurity requirements, guidelines, and reporting duties.

• Cybersecurity Regulations and Guidelines. A litany of laws, regulations, and guidelines that apply to healthcare entities are enforced and updated by the U.S. Department of Health and Human Services (HHS), the Food and Drug Administration (FDA), the Center for Medicare and Medicaid Services (CMS), the Office of the National Coordinator (ONC).
• Industry Frameworks: Many healthcare organizations also must implement general industry frameworks like the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0, or more specific rules like the Payment Card Industry Data Security Standards (PCI DSS) for credit card transactions.
• Federal Breach Reporting Requirements. In addition, healthcare organizations face a dense array of breach reporting laws. Depending on their type of activity, healthcare organizations may be subject to additional federal rules with different timelines and standards that trigger reporting to the U.S. Department of Education, federal bank or financial regulators, the FTC, the Securities and Exchange Commission (SEC), and the Cybersecurity & Infrastructure Security Agency (CISA).
• State Breach Notification Laws. In addition, all 50 states and all U.S. territories impose their own breach notification requirements. Some apply specifically to healthcare or insurance companies, while others apply generally to all businesses operating within a jurisdiction.

Proposed Framework

Based on the challenges posed by the current threat and regulatory landscapes, HLC and the Coalition propose the Cybersecurity Framework set forth below. The framework emphasizes a collaborative approach to the current crisis and highlights private and public actions needed before, during, and after a data breach.

Healthcare Leadership Council & Confidentiality Coalition Cybersecurity Framework

PREVENTION: Hygiene and Resilience

Private Sector Commitments

• Maintain an Information Security Program based on an Established Industry Framework
• Conduct Regular Risk Assessments based on an Established Industry Framework
• Implement an Incident Response Plan based on an Established Industry Framework

Public Sector Recommendations

• Promote Law Enforcement and Information-Sharing as International Priorities
• Bolster Public-Private Collaboration over Cybersecurity Prevention Measures
• Enhance Public-Private Information-Sharing

RESPONSE: Restoring and Reporting

Private Sector Commitments

• Investigate and Report Breaches in a Timely Manner
• Promptly Restore Critical and Essential Systems

Public Sector Recommendations

• Harmonize Breach Reporting Requirements
• Improve Real-Time Information-Sharing

RECOVERY: Rebuilding and Learning

Private Sector Commitments

• Update Stakeholders
• Reconnect Efficiently with Trusted Partners
• Embed Lessons Learned in Security Planning

Public Sector Recommendations

• Streamline Recovery Approvals
• Mitigate Liability and Reward Responsible Action
• Fund and Incentivize Cybersecurity Improvements

Introduction

The Importance of Cybersecurity in Healthcare

Cybersecurity breaches constantly disrupt the U.S. healthcare system, afflicting patients and providers, academic medical centers and researchers, insurers, pharmaceutical and medical device manufacturers, community health organizations, and many others. These disruptions impose staggering financial costs on healthcare organizations as they move to respond quickly to attacks, notify victims and regulators, rebuild systems, update business partners, restore connectivity, and bolster already advanced defenses. More importantly, cybersecurity breaches impose a real human cost — disrupting critical supply chains, undermining healthcare delivery, and endangering patients.

Our Position

HLC and the Coalition believe cybersecurity in healthcare is a critical patient safety issue, requiring shared responsibility and collaboration between the private sector and governments to protect patient data and continuity of care. We advocate for a risk-based approach to information security, aligned with nationally and internationally recognized standards, to ensure optimal health outcomes.

Collaboration between the private sector and government is essential to strengthening cybersecurity in healthcare. Policies should prioritize information-sharing among international, governmental, and private industry stakeholders and harmonize reporting related to breach incidents.

While the private sector must innovate and implement strong security measures, the government should recognize existing industry standards and provide incentives and assistance to strengthen our collective cyber defenses. Together, we must work to combat growing cyberattacks that pose a threat not only to healthcare organizations but to individual patient health.

The Current Challenge

The Threat Landscape

Healthcare systems are increasingly targeted by a variety of malicious cyberattacks that pose significant risks to patient care and healthcare security. Ransomware attacks, which encrypt or steal critical data and demand a ransom for its return, have been particularly devastating, often leading to the disruption of hospital and other essential healthcare services. Zero-day exploits, which take advantage of previously unknown vulnerabilities, allow attackers to infiltrate systems undetected and cause extensive damage before any patches can be applied. Business email compromises (BEC) and other phishing attacks deceive employees into revealing sensitive information or transferring funds, exploiting human error as a weak link in cybersecurity defenses. Insider threats, where individuals within the organization misuse their access to compromise data or systems, add another layer of complexity to the cybersecurity landscape.

The volume and sophistication of these cyberattacks on healthcare systems have grown at an alarming rate. In 2024, Check Point Research reported a 30% year-over-year increase in cyberattacks globally,⁵ and a separate Proofpoint study found that 92% of healthcare organizations reported that they experienced a cyberattack last year.⁶ Overall, the global cost of cybercrime is projected to reach $23 trillion by 2027, a 175% increase from 2022.⁷

Technology – both old and new – can add to the risk faced by healthcare organizations. Many hospitals operate legacy devices that cannot be easily patched or protected, increasing the risk to the hospital and other devices on the same network. Meanwhile, the integration of artificial intelligence (AI) by malicious actors has further threatened healthcare systems, enabling more sophisticated phishing and malware attacks. State-sponsored threat actors are also targeting healthcare systems, exploiting geopolitical tensions, and disrupting critical infrastructure.

Collectively, these threats compromise patient safety, disrupt healthcare delivery, undermine intellectual property, impede innovation, and inflict significant financial costs on healthcare organizations that could be better spent improving health.

The Impact of Data Breaches on Patient Health

Cyber disruptions often have their greatest impact on healthcare delivery and patient services. Ambulances may need to be diverted from emergency rooms. Life-saving medical devices may go dark. Research may be corrupted or interrupted. Electronic health records may become inaccessible. Doctors and nurses may need to resort to paper forms and charts. Insurance claims or payments may be delayed. Providers and their staff may go unpaid, and pharmacy prescriptions may be delayed.

U.S. researchers found that hospital volumes decreased by 17% to 26% during the first week following a ransomware attack, and among patients already admitted to the hospital during an attack, in-hospital mortality increased by 35% to 41%.⁸ A separate 2021 study found that data breaches increased the rate and lowered the survivability of cardiac arrests, even among hospitals that were untargeted but "adjacent" to an healthcare organization suffering a ransomware attack.⁹

Finally, a well-documented 2024 attack on a British medical lab offered sobering proof of the potential clinical impact of a cyber incident. In the first 17 days after the lab incident, two London hospital systems had to postpone 2,194 outpatient appointments and 1,134 elective procedures, including 184 cancer treatments. Sixty-four organs had to be diverted to other hospitals for transplants.¹⁰

In short, attacks do not just impose technical or financial hardship; they can hinder access to vital healthcare services and pose real risks to patient safety.

The Impact of Data Breaches on Systemwide Operations

The impact of a data breach does not fall solely on the organization targeted by attackers. Lost connections to systems and data can have a ripple effect across the entire healthcare industry. This is especially true given the health industry's move toward software-as-a-service (SaaS), cloud computing and storage, cross-border research collaborations, and relationships with international partners and vendors. The complex web of healthcare connections expands the "attack surface" that criminals can target and increases the potential impact of any given incident.

For example, in many ransomware attacks, vital data may become encrypted or inaccessible within the targeted organization. At the same time, trusted connections between healthcare partners may be severed, either because the attacker has disabled servers or because the original victim of an attack has deliberately shut down its networks to contain the attack and prevent its spread to others.¹¹ Therefore, a cyberattack executed on a healthcare provider may impact downstream service providers, healthcare payers contracted with the provider, affiliated practice groups, and patients. Similarly, when one provider must limit or discontinue new admissions or curtail services during a cyberattack, volumes frequently increase at other local facilities, placing additional strain on nearby providers and contributing to systemwide capacity issues. Overall, the downtime caused by cyberattacks can last for months while the impacted organization completes its investigation and restores its systems. Even in cases where the organization pays a ransom to the threat actors, it can take weeks to decrypt affected systems and resume full services.¹²

Because Change Healthcare processes approximately 15 billion healthcare transactions annually, the impact was widespread when it fell victim to a breach in 2024. HHS reported that the attack not only affected Change Healthcare, but it also "impacted payments to hospitals, physicians, pharmacists, and other health care providers across the country."¹³ At the individual level, Change Healthcare reported that approximately 190 million people were affected.¹⁴

The Impact of Data Breaches on Operating Costs

Data breaches have a disproportionate financial impact on healthcare compared to other sectors. Since 2011, healthcare has incurred the highest data breach costs of any sector.

(globally, in millions)

According to the 2024 IBM/Ponemon annual global survey, last year's average cost of a data breach in the healthcare sector was $9.77 million. As shown in Figure 1, this cost was more than double the global, cross-industry average of $4.88 million.¹⁵

The industry with the next costliest average – the financial sector – averaged just $6.09 million per breach.¹⁶ The impact in this country may be even more stark, given that the study included information from around the world, and data breaches in the U.S. are estimated to be twice as costly compared to those in other industrialized nations like Canada, the U.K., Italy, France, and Japan.¹⁷

The financial cost of a data breach falls heavily on healthcare organizations, and these costs are borne both immediately and also over a lengthy recovery period. Immediately following an intrusion, organizations typically must organize an internal response team, execute downtime procedures where necessary, and retain experienced outside counsel, forensic experts, and crisis communicators. After days or weeks of intense investigation, healthcare organizations then face the daunting and expensive task of notifying regulators, affected individuals, and business partners. In addition to the cost of notification letters, breached organizations may need to purchase credit monitoring and identity theft protection services, establish call centers, respond to regulators, incur fines, and defend lengthy class-action litigation. Meanwhile, servers, databases, and individual workstations need to be remediated, rebuilt, and scanned for malicious software before being brought back online.

Recent U.S. breaches announced in 2024 demonstrate just how significant the financial impact can be on a single healthcare organization. For example, UnitedHealth Group announced that the cyberattack against its subsidiary Change Healthcare would cost the company an estimated $3.1 billion.¹⁸

Footnotes

1 The Healthcare Leadership Council is the exclusive forum for the nation's healthcare industry leaders to discuss major, sector-wide issues, generate innovative solutions to unleash private sector ingenuity, and advocate for policies to improve our nation's healthcare delivery system.

2 The Confidentiality Coalition is a broad alliance of organizations from across the healthcare industry committed to balancing the protection of confidential health information with the need for efficient, interoperable healthcare systems. With its diverse and expert membership, the Coalition is uniquely positioned to shape effective and pragmatic policies to safeguard the privacy of individuals' data and information while facilitating the essential flow of information for the timely and effective delivery of high-quality care and healthcare innovation. www.confidentialitycoalition.org

3 Nathan Eddy, 2025's Biggest Healthcare Cybersecurity Threats, HEALTHTECH MAGAZINE (Jan. 24, 2025) (quoting Proofpoint study), https://healthtechmagazine.net/article/2025/01/healthcare-cybersecurity-threats-2025-perfcon

4 IBM and Ponemon Institute, Cost of a Data Breach Report 2024 10, https://www.ibm.com/reports/data-breach

5 Checkpoint, Check Point Research Reports Highest Increase of Global Cyber Attacks seen in last two years – a 30% Increase in Q2 2024 Global Cyber Attacks (July 16, 2024), https://blog.checkpoint.com/research/check-pointresearch-reports-highest-increase-of-global-cyber-attacks-seen-in-last-two-years-a-30-increase-in-q2-2024-globalcyber-attacks/

6 Eddy, supra, note 3.

7 Sentinel One, Key Cybersecurity Statistics for 2025 (Sept. 12, 2024), https://www.sentinelone.com/cybersecurity101/cybersecurity/cyber-security-statistics/

8 Claire McGlave, Hanna Neprash & Sayeh Nikpay, Hacked to Pieces? The Effects of Ransomware Attacks on Hospitals and Patients, SSRN (Oct. 2023), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4579292

9 Thaidan Pham et al., Ransomware Cyberattack Associated with Cardiac Arrest Incidence and Outcomes at Untargeted, Adjacent Hospitals, CRITICAL CARE EXPLORATIONS 6(4):p e1079 (April 2024), https://journals.lww.com/ccejournal/fulltext/2024/04000/ransomware_cyberattack_associated_with_cardiac.15.aspx

10 NHS England, Update on cyber incident: clinical impact in South East London (Jun.20, 20024), https://www.england.nhs.uk/london/2024/06/20/update-on-cyber-incident-clinical-impact-in-south-east-londonthursday-20-june/

11 Genevieve Kanter, James Rekowski & Joseph Kannarkat, Lessons from the Change Healthcare Ransomware Attack, JAMA HEALTH FORUM. 2024;5(9), https://jamanetwork.com/journals/jama-health-forum/fullarticle/2823757

12 Id.

13 HHS Sec'y Xavier Becerra, Letter to Health Care Leaders on Cyberattack on Change Healthcare (Mar. 10, 2024), https://www.hhs.gov/about/news/2024/03/10/letter-to-health-care-leaders-on-cyberattack-on-change-healthcare.html (archived).

14 Emily Olsen, UnitedHealth hikes number of Change cyberattack breach victims to 190M, CYBERSECURITY DIVE (Jan. 27, 2025), https://www.cybersecuritydive.com/news/change-healthcare-attack-affects-190-million/738369/

15 IBM and Ponemon Institute, supra, note 4 at 10.

16 Id.

17 The average cost of a data breach across all sectors in the U.S. was $9.36 million in 2024, versus Italy ($4.73M), Canada ($4.66M), the U.K. ($4.53M), Japan ($4.19M) and France ($4.17M). Id. at 9.

18 Emily Olsen, supra, note 14.

To view the full article click here

Originally published by Healthcare Leadership Council (HLC) and the Confidentiality Coalition

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.