Healthcare industry must brace itself for deluge of cyberattacks in 2025 | Viewpoint

Back in February 2024, Change Healthcare said the company suffered a catastrophic data breach, with information pertaining to over 100 million patients being stolen by hackers. Important files were encrypted and ransomed, crippling insurance payments for weeks.

Michael Marcotte

Now, almost a year later, UnitedHealth Group, the parent company of Change Healthcare, reports that the leaked data actually affected 190 million people, making this the biggest cyberattack in the industry.

Is the scale of the damage surprising? Not one bit.

Healthcare is the most afflicted industry by cyberattacks, with around 90% of institutions reporting at least one security breach in the last few years. In fact, 2024 recorded the highest number of cyberattacks for the industry – an increase of 300% since 2015.

This trend could worsen this year, with high-profile AI-driven hacks showing no sign of abating. And it’s clear to me that the industry isn’t prepared for this onslaught.

The breakout of DeepSeek’s R1 model could potentially throw another spanner in the works, with the model’s open-source code making it yet easier for malicious actors to build top-grade cyber capabilities into their arsenals.

Healthcare cyber breaches are also more consequential than any others. Ransomware and phishing attacks can incur a huge toll on people’s lives. Not only do they block access to important information for medical practitioners, but also shut off access to critical technologies, such as electronic health records, delaying vital procedures.

Beyond the human cost, the financial costs to healthcare providers of these attacks have surpassed $9.77 million per breach, 67% higher than the global average, according to a report by IBM. And this cost is too often passed onto consumers, with 63% of organizations stating they would hike up prices after inferring a data breach.

The stark unpreparedness of the healthcare industry for a continued rise in cyberattacks combined with the huge value the industry’s personal data offers to attackers is a disastrous combination for society – and an ideal one for hackers.

But the outlook doesn’t have to be so bleak.

The first and most critical thing the healthcare industry must get right is its acquisition and retention of top-grade cybersecurity talent. This is no easy feat, as there is a serious lack of this caliber of talent in the cybersecurity space today. But the healthcare industry has deep pockets – and if it wants to move the dial on the issue, it will have to dig deep in them.

Bringing top cybersecurity talent into the C-suite should be an immediate priority for every healthcare CEO right now – and they should be scouring for experts with a proven track record in cyber defense right across the building of robust firewalls, intrusion detection systems, regulatory compliance, and successful management of active and large-scale cyberthreats.

Healthcare providers must also ensure they’re facilitating a pipeline of new talent within their organizations. They should be actively scouting for young software engineering talent – and once they’ve been brought on board, providing them access to mentorship from their most seasoned experts in the cybersecurity discipline.

The second thing the industry must do is decentralize patients’ data wherever possible, giving the patients the opportunity to store their own sensitive health data on their own devices. This would dramatically reduce the data bullseye that’s currently being waved in the faces of cybercriminals.

People will be skeptical of this. It would be a significant shake-up to the way the sector operates. But the situation is critical, and drastic and innovative measures are the only way out. The technology already exists to do this, and if implemented successfully, it could prove to be the singular most effective way to relieve pressure from the industry.

The final solution is to fight fire with fire and deploy the most advanced AI tools on the front line of the healthcare industry’s cyber defenses. Depending on software defenses from the 2010s is the equivalent of going swimming with weights on your feet – it won’t end well. The correct deployment of state-of-the-art AI defense systems can be a game changer for the speed of threat detection and automated responses, as well as predictive analysis.

AI tools also offer the opportunity to streamline operations, reducing the need for automatable roles and freeing up capital that can be allocated for attracting and retaining the highest quality front-line talent.

A word of caution however: AI is not a panacea. Like a plane is useless without its pilot, AI is ineffective – dangerous, even – if not placed in the hands of seasoned software engineers who understand its operational processes and shortcomings. Healthcare CEOs must strike the right balance for maximum efficacy.

These strategies require high levels of investment from the industry. But with providers already losing millions to cyberattacks even before they’re opened up to potentially larger litigation costs, the dilemma is simple: the industry can stand still with a target on its back – or it can begin the process of moving out of the way now.

Michael Marcotte is founder, chairman and CEO of artius.iD.