Health care's emerging cybersecurity challenges

ARTICLE | April 15, 2025

Authored by RSM US LLP

Read the full report

Despite mitigation progress within the industry, cybersecurity threats remain a significant concern for health care organizations. While many have implemented tighter controls to counter threats and increase awareness among employees, threats persist, and a security breach could levy a devastating blow to an organization’s operations and cash flow.

AI’s dual impact

“The integration of artificial intelligence and machine learning in health care has a dual impact on cybersecurity,” according to Michael Haas, a health care senior analyst at RSM US LLP.

“On one hand, these technologies enhance security by providing checks and balances, identifying anomalies, and ensuring that patient messages and administrative tasks are properly vetted," he says. "AI helps organizations move from merely performing tasks to adopting an auditor role, thereby improving oversight and security.”

On the other hand, he says, AI and machine learning can also introduce new vulnerabilities. Many organizations are unaware of the AI components within their systems, which can lead to unintentional exposure to cyberthreats. Haas stresses the importance of creating a robust AI governance structure to manage these technologies effectively.

Regulatory bodies such as the Office for Civil Rights, National Institute of Standards and Technology (NIST), Centers for Medicare and Medicaid Services, and U.S. Department of Justice are imposing stricter guidelines and frameworks to ensure health care organizations maintain robust cybersecurity measures. Haas cites the NIST 2.0 framework and the Trusted Exchange Framework and Common Agreement as examples of efforts to enhance cybersecurity and improve the nationwide exchange of electronic health information across different health care entities. While these frameworks are voluntary, their implementation is strongly encouraged to reduce cyber vulnerabilities and meet eligibility requirements for cyber insurance.

Collaborations with third-party vendors pose additional cybersecurity challenges, says Haas.

He highlights the importance of selecting vendors with appropriate accreditations, such as the Health Information Trust Alliance (HITRUST) certification, to ensure they meet stringent security standards. Liability shifts are also becoming more common, with organizations demanding higher levels of liability, credentials and accountability from vendors to cover potential data breaches.

Addressing risks

Health care organizations should consider several best practices to mitigate cyber risks:

• Governance and education: Establishing a governance structure and providing continuous education to employees about cybersecurity threats and best practices are crucial. These efforts include training employees to identify phishing emails, maintain secure passwords and utilize multifactor authentication.
• Data hygiene and management: Ensuring good data hygiene and management practices helps protect sensitive information. Organizations should regularly audit access to patient and financial data, ensuring that only authorized personnel have access to necessary information.
• Insurance policies: While insurance can provide a safety net, not all policies cover every type of cyber incident. Organizations may need multiple policies to cover various scenarios, which can be costly. Chief financial officers must weigh the benefits and costs of different insurance options to determine the best coverage for their organization.
• Proactive measures: Larger health care systems with more resources can adopt proactive measures, such as integrating advanced cybersecurity solutions and conducting regular security audits. Smaller organizations, however, may need to focus on basic practices, such as flagging suspicious emails and ensuring proper access controls.

Looking ahead, the focus will be on building patient trust and ensuring a secure patient experience. As health care organizations continue to adopt new technologies, they must balance innovation with security. Educating patients on how to securely access their information and ensuring secure data transfers among providers are essential steps in this process.

Though the rising costs of cybersecurity solutions may lead some organizations to delay adopting new technologies, a wait-and-see approach can be risky, as it may leave them vulnerable to cyberthreats.

The ongoing challenge for health care organizations will be to stay ahead of emerging threats while maintaining patient trust and ensuring the secure delivery of care and services for their communities.