It provides a secure, scalable way to manage patient records, streamline medical research, and enhance data security across the healthcare ecosystem. Crucially, blockchain enables a unified system where patient records can move seamlessly across providers, across continents, ensuring a continuity of care wherever the patient is located. By offering an immutable and interoperable ledger, blockchain enables healthcare stakeholders—from physicians to researchers and pharmaceutical companies—to trust the accuracy and security of their data while maintaining compliance with industry standards.

Protecting and Empowering Patient Health Data

Cyberattacks on healthcare systems are becoming more frequent, directly impacting patient safety and trust. Last year, the NHS faced multiple cyberattacks, including those affecting NHS Dumfries and Galloway and Synnovis, disrupting essential services. Many healthcare providers still rely on outdated, fragmented storage systems, making them more vulnerable to breaches. Blockchain technology offers a much-needed alternative acting as a secure, time-stamped log of all interactions with sensitive data, making it easier to track changes and prevent tampering. Companies like BSV Blockchain are already leading the charge in applying blockchain to healthcare, ensuring secure solutions that provide greater control and security over vaccination records and other verified health data.

At the same time, patients deserve greater control over their own medical data. Blockchain allows them to set access permissions for their records, ensuring only authorised providers can view specific information. By eliminating third-party data custodians, blockchain restores trust in patient privacy and enables seamless, secure data sharing across healthcare platforms.

Patients can even grant temporary access to their records when needed, keeping control over who sees their data. This feature enhances interoperability within healthcare systems while ensuring that personal information remains protected. Additionally, blockchain’s scalability enables hospital networks to manage vast amounts of medical records efficiently and cost-effectively.

Accelerating Medical Research

Medical research thrives on data, but too often, that data is scattered and inaccessible. Scientific literature, clinical trial data, and genetic research are typically siloed, making collaboration difficult and slowing the pace of innovation. Blockchain simplifies this by enabling real-time data aggregation and secure sharing, all while preserving patient privacy.

Blockchain simplifies research agreements—like those between hospitals and pharmaceutical companies for clinical trials—by securely recording and automating them. This reduces paperwork, speeds up approvals, and makes collaboration between institutions more seamless. Researchers can gain access to verified datasets without compromising data integrity or patient confidentiality. This means faster breakthroughs, smoother trials, and life-saving treatments getting to patients more quickly.

Managing the Medicine Supply Chain

Beyond securing patient records and advancing research, blockchain is also making a tangible impact in pharmaceutical safety and supply chain management. Counterfeit medicines pose a serious risk to patient safety. In fact, a study from The Pharmaceutical Journal found that around 15,500 falsified medicine packs were identified in the UK’s authorised medicines supply chain over just two years. Ensuring the authenticity and traceability of medical products is crucial for manufacturers, healthcare providers, and patients alike.

Blockchain enhances supply chain security by creating a permanent record of every transaction, from raw material sourcing to distribution. Each medicine can be assigned a unique, time-stamped identifier, allowing healthcare professionals to verify its authenticity before administration. This level of traceability helps manufacturers and distributors maintain accountability while keeping counterfeit drugs out of the market.

The Future of Healthcare Security with Blockchain

Blockchain technology is already making healthcare more secure, scalable, and interoperable. By ensuring real-time, trusted data access for providers, researchers, and patients, it has the potential to redefine digital healthcare infrastructure. As cyber threats and data privacy concerns grow, the need for robust, blockchain-based solutions is more urgent than ever.

For healthcare professionals and organisations looking to enhance security, streamline research, and improve patient experiences, blockchain offers a proven and scalable solution. Now is the time to explore its potential and lead the next wave of digital healthcare transformation.

By Calvin Ayre, Founder at Ayre Group

The post Can Blockchain Restore Trust in Healthcare? A Look at Security, Scalability & Data Integrity appeared first on .

However, federal oversight is failing to keep pace with the escalating risks. A recent report revealed that the Health and Human Services (HHS) Office for Civil Rights (OCR) examined just 8 of 180 HIPAA requirements during audits, leaving critical gaps that expose healthcare organizations to compliance failures and serious data breaches.

In this high-risk environment, hospitals and healthcare providers can’t afford to wait for stricter enforcement – they must take matters into their own hands to secure patient data before the next breach occurs. Because, as any cybersecurity professional will tell you, it’s not a question of if a breach will happen, but when.

Balancing patient care with cybersecurity

Healthcare organizations face a delicate challenge: maintaining fast, efficient patient care while upholding rigorous cybersecurity standards. In high-pressure environments, healthcare workers often sidestep security protocols – whether by sharing passwords, reusing weak ones, or bypassing encryption – to save time. These shortcuts, while expedient in the moment, introduce critical vulnerabilities that cybercriminals can exploit.

The consequences of neglecting cybersecurity extend beyond compliance violations. A breach can disrupt hospital operations, compromise patient safety, and erode trust in the healthcare system. From delayed treatments to the exposure of sensitive patient records, these incidents have far-reaching effects that demand proactive measures to protect critical data.

Successfully balancing patient care with cybersecurity requires organizations to design systems that align with the realities of healthcare workflows. For example, requiring frequent password changes or complex authentication processes without considering the urgent nature of patient care may lead staff to prioritize speed over security. To address this, organizations should focus on implementing user-friendly tools, such as single sign-on systems and biometric authentication, which streamline access without compromising data protection.

Emerging threats

The landscape of healthcare cybersecurity is evolving rapidly, with emerging threats adding new layers of complexity. Cybercriminals are increasingly leveraging sophisticated tactics, such as AI-driven phishing campaigns and ransomware-as-a-service (RaaS), to exploit vulnerabilities in healthcare systems.

AI-driven phishing campaigns are particularly concerning. These attacks use machine learning to craft highly personalized and convincing emails, making them harder to detect. For instance, attackers might reference a specific patient case or use internal jargon to trick staff into divulging sensitive information. The success of these campaigns underscores the need for advanced email filtering tools and continuous staff training to identify and report suspicious activity.

Ransomware-as-a-service has also lowered the barrier for entry for cybercriminals, allowing less technically skilled individuals to execute high-impact attacks. Healthcare organizations are prime targets due to the critical nature of their services, which makes them more likely to pay ransoms to restore operations. These attacks can paralyze hospital systems, delay treatments, and compromise patient safety.

Another growing concern is the Internet of Medical Things (IoMT). Devices like smart monitors, infusion pumps, and wearable health trackers are increasingly connected to healthcare networks. While these devices improve patient care, they also expand the attack surface, providing cybercriminals with more entry points. Many IoMT devices lack robust security features, making them vulnerable to exploitation.

Reducing risk

To address persistent cybersecurity challenges in healthcare, organizations must adopt a proactive approach that balances security and operational efficiency. Implementing role-based access controls is a crucial step. This measure ensures employees can only access the data necessary for their specific tasks, limiting exposure to sensitive information and reducing the risk of breaches.

Tailored security training is another essential strategy. Programs should address the unique demands of healthcare environments, teaching staff how to identify phishing attempts and handle patient data securely under real-world conditions.

Fostering a culture of vigilance is equally critical. When patient data is treated as a valuable asset, employees are more likely to scrutinize requests for access and take necessary precautions. Simple practices, such as verifying unusual requests or questioning unfamiliar access attempts, help prevent lapses that could otherwise compromise sensitive information.

Additional measures

Healthcare professionals can further reduce cybersecurity risks by adopting the principle of “trust, but verify.” If a staff member receives an unusual request – particularly one asking for access to sensitive data – following up to confirm its legitimacy can prevent costly mistakes. A quick phone call or double-check can thwart social engineering attacks, where cybercriminals impersonate trusted individuals to manipulate staff.

Leadership roles, often prime targets for cybercriminals, require additional security layers. Advanced email filtering, multi-factor authentication, and other protective measures can reduce risks for executives and senior staff, safeguarding both individuals and the organization as a whole.

Final thoughts

The digital transformation of healthcare offers immense benefits but also exposes patient data to significant cybersecurity risks. With limited federal oversight and persistent enforcement gaps, healthcare organizations must take the lead in safeguarding sensitive information. By implementing strong security measures, fostering a culture of vigilance, and embedding cybersecurity into daily operations, they can protect both their operations and patient trust.

By Eva Pittas of Thoropass

The post Why the HIPAA Auditing Process is Broken appeared first on .

What Is Health Care Interoperability and Its Importance?

Health care experts juggle countless technologies simultaneously, including imaging machines, at-home medical devices and patient information software. Interoperability describes their connection to each other. Big data, machines and programs must sync and share information without compromising security. It is essential for quick triage, treatment and recovery.

Without secure systems, a single ransomware attack could compromise the golden hour — the first 60 minutes after a traumatic event — for countless in an emergency.

The surface area is ever-increasing, with numerous opportunities for hackers to take advantage of a backdoor or vulnerability. Entry into a customer service program could lead cybercriminals into billing software or an artificial intelligence (AI) database. The lackluster defensive measures of a sensor-based vitals monitor could threaten a hospital’s network security.

The expansiveness is why many could consider the seamless connection between medical devices a threat to patients instead of a boon. Interoperability is essential because information flow from integrations has these impacts on medical systems:

• Greater convenience
• Stronger customer service
• Better access to real-time patient records
• Boosted accuracy
• Improved safety
• Easier collaboration

These oversights must motivate more proactive responses from health care IT professionals to promote continuity of care and enhance the patient experience.

What Threats Arise Because of Interoperability and Why?

Threat actors compromised 51 million EHRs in 2022. Several global shifts caused the influx, with interoperability being part of the concern. The COVID-19 pandemic introduced a new era of health care with widespread telehealth and remote treatment options. These solutions required medical entities to normalize remote access and make systems as connected as possible. It also encouraged more people to have constant EHR access.

Data collection has also become easier and essential for competitive health care. This made information storage a priority, introducing a deeper need for cloud solutions. Not all providers operate with the same transparency or credentials. Hackers could take advantage of the most vulnerable with ease.

The combination of these factors, among others, created the perfect storm for these common cybersecurity threats in interoperable systems:

• Social engineering: More people became potential insider threats to secure systems because of increased access.
• Denial-of-service: Integrations give cybercriminals the choice of what systems they want to overwhelm to create disruptions.
• Ransomware: Connectivity makes it simpler for hackers to spread malicious codes and extricate what they encrypt.
• Phishing: The number of attack vectors gives threat actors more options on where to send campaigns, infecting multiple systems at a time.

How Can Health Care IT Professionals Reduce Risk?

IT staff must take action to make the most out of connected systems before hackers get inside.

Remove Silos

Just because technologies and programs are connected does not imply every department uses the same processes to store, transmit and use data.

Complications like cumbersome shadow IT, which is software and hardware that run outside of what’s sanctioned by the company, prevent interoperability from being as secure as it could be. Unauthorized assets can still communicate with the rest, but they might have security oversights, or the third-party provider could stop servicing them. Experts have to ensure procedures across teams use the same digital infrastructure and have the same hygiene habits.

Additionally, vendor lock-ins with legacy systems often force hospitals to use outdated software for their most critical devices, like CAT scanners. Companies can evaluate these partnerships and upgrade them as needed.

Balance Compliance With Proprietary Decision-Making

Health care must use the industry’s best practices from established agencies to receive preliminary guidance on how to manage interoperability. However, there are places where frameworks are insufficient. Medical facilities need to invest resources to comply with rules like HITRUST and ISO.

They should also assume responsibility for finding intermediary solutions for an organization’s current risks instead of awaiting legislative orders. Waiting for industry standards to catch up should not be an excuse for neglecting interoperability.

Limit Access and Data

Interoperability allows many endpoints to have a wealth of information from multiple sources. To keep this benefit available for health care professionals to leverage, IT teams must do two things — harness less data and make it harder to access.

Many authorization strategies can defend electronic resources connected to a network. Least-privilege measures make it so only those who need the information can get it. Zero-trust architecture protects interconnected devices at a big-picture level. It requires all users to request access, treating all entry attempts as a potential threat. Layering these methods with verification protocols like multifactor authentication and encryption will make them even stronger.

Data minimization is also an up-and-coming recommendation that is notably important in guidelines like the GDPR. It reminds all industries, including health care, that not all data is essential. Medical organizations must phase out collection of irrelevant metrics to reduce the amount of information hackers have on victims if they obtain entry.

They must also implement regular schedules to delete or store old data in secure environments outside of the interoperable ecosystem. Using blockchain alongside minimization is proven to enhance privacy while streamlining digital assets.

Reframing Health Care Interoperability as a Cybersecurity Asset

Threat actors see interoperability as a benefit to their operators, but the landscape can switch. The medical and IT industries can transform defensive strategies, making interoperability a protective technique instead of a gap. To do this, analysts must curate solutions based on the most prominent threats to interoperable medical technologies and use the connections between software and hardware to make cybersecurity stronger.

By Zac Amos, ReHack

The post Is Health Care Interoperability a Cybersecurity Risk? appeared first on .

Understanding the Proposed HIPAA Security Rule Update

The Department of Health and Human Services (HHS) proposed a HIPAA Security Rule update on December 27, 2024. This rule has remained unchanged since 2013, so the proposal aims to catch regulations up to a decade’s worth of shifts in cybercrime and health care data management.

As is to be expected of the first update in over 10 years, the document is lengthy, spanning nearly 125 pages. In general, though, the revised regulations add specificity to the Security Rule’s standards and definitions, clarify compliance requirements and hold covered entities to a higher cybersecurity standard.

Most notably, the update would require protections like encryption, multifactor authentication (MFA), network segmentation and antimalware software. Similarly, it mandates annual penetration testing, awareness training and compliance audits. Such measures are common in newer government regulations like the Cybersecurity and Maturity Model Certification but haven’t been strictly mandatory under HIPAA.

Other new requirements include:

• Regularly updated asset inventories and data maps
• Formal incident response plans
• Controls and notifications for ending a former employee’s access permissions
• Notifications when an entity enacts its contingency plans
• Considerations for third-party risks

Why HIPAA Needs Updated Cybersecurity Regulations

The extensive proposed update to the HIPAA Security Rule is an important shift. In many ways, the regulation is overdue for a change due to several key trends since its last revision.

Rising Cybercrime in Health Care

The most apparent reason why HIPAA needs a cybersecurity update is because cybercrime has skyrocketed. In the 10 years since regulators implemented the last Security Rule version, the health care sector has become a favorite target of cybercriminals.

In 2023, health care data breaches averaged $10.92 million in losses per incident, more than any other industry. Those costs do not tell the whole story, either. Hacking, ransomware and other security events can disrupt critical patient services, leaving people without access to the care they need.

Before this proposed update, HIPAA’s Security Rule did not reflect appropriate urgency relative to such attack trends. As cybercriminals’ techniques advance and target hospitals with rising frequency, tighter cybersecurity controls are essential.

Lack of Specificity in Current Rules

HIPAA also needs additional clarity within its Security Rule. The current revision leaves too much to interpretation to be a reliable standard in today’s cybersecurity environment.

As it stands today, HIPAA does not explicitly require encryption of protected health data. While it says covered entities must maintain “reasonable safeguards” to keep patient information confidential, it does not specify what such safeguards are. Many other parts of the Security Rule are similarly vague, which leaves too much room for improper protections.

While a court would likely find failing to implement encryption as a breach of the Security Rule, the regulation should be more specific upfront. The explicit standards in the proposed update would clarify expectations before covered entities experience a breach. The requirements could then protect patient data before an event, not only in post-breach litigation.

Outdated Regulations

Similarly, the existing version of the HIPAA Security Rule needs modernization. Cybercrime methods and technologies have advanced considerably over the past decade. As such, regulations need to address the threats and appropriate protections that are now prominent.

The proposed mandates for MFA, network segmentation and penetration testing are prime examples. All are standard defenses today — just 17% of security leaders in 2024 said they never pen test — but HIPAA does not yet require any of them. Consequently, medical organizations could technically be HIPAA-compliant but fall far below acceptable modern cybersecurity standards.

Requiring covered entities to implement newer defense strategies will help keep the industry up with changing cybersecurity trends. Cybercrime shifts quickly, so relevant regulations should likewise be adaptable.

Remaining Challenges to the Updated Rule

As important as an updated HIPAA Security Rule is, the proposal faces a few challenges. The medical sector and its regulators must consider these obstacles as they seek to modernize cybersecurity standards.

Implementation Costs

One significant barrier to the proposed update is how much it would cost to implement. Because the new rules cover much more and are far more specific, complying with them likely means investing in many technologies covered entities have not yet adopted. Such a transition could be prohibitively expensive in some cases.

Small and medium-sized enterprises would find it the hardest to comply. However, they may also need the additional protections the most, as attacks against them have risen by 150% in recent years. This situation leaves regulators in a difficult position of balancing appropriate security measures with making such protection accessible.

Administrative Roadblocks

The proposed update may also encounter resistance from lawmakers before it can go into effect. President Trump has already temporarily halted all rulemaking processes and has expressed interest in rolling back many of the government’s stricter regulations. It’s unclear if such a change would come to HIPAA, but the possibility may call the future of the proposal into question.

Executive administration aside, the update will likely go through at least one round of revisions before taking effect. Covered entities should not act before regulators establish a final rule, so attention to the ongoing revision process is necessary.

It’s Time for HIPAA to Evolve

While several roadblocks remain, the HIPAA Security Rule needs updating. The proposed changes — or a shift like them — are a necessary step forward to ensure regulations reflect the current threat environment.

Regardless of what happens on a regulatory level, health care businesses should consider how their security posture may need to evolve. Cybercrime is growing and transforming, so cybersecurity must do the same.

By Zac Amos, ReHack

The post Does HIPAA Need a Cybersecurity Update? appeared first on .

State of UK Healthcare at Present

The UK healthcare sector has experienced its fair share of high-profile cyberattacks involving data breaches, leading to significant operational disruptions and compromising patient care. The most notable being the WannaCry Ransomware attack in May 2017 which affected over 60 NHS trusts. The incident led to the cancellation of appointments and surgeries as well as infecting more than 200,000 computer systems across 150 countries while encrypting sensitive data. More recently, in June 2024, healthcare provider Synnovis was hit by a ransomware attack that forced several London hospitals to cancel services and surgeries with the hacking group publishing the personal data of patients – including NHS numbers, names and test codes.  This is just the tip of the iceberg and demonstrates the real-life impact on hospitals, their ability to deliver patient care and the victims who have their confidential patient information leaked – which could cause emotional distress and lead to fraud.

A key focus for many threat actors who target the healthcare industry is to extract the confidential patient information held within these institutions. This includes medical histories, diagnoses, treatment plans, and genetic information – all of which can be sold on the dark web or held for ransom for millions. In fact, according to Verizon’s 2024 Data Breach Investigations Report, the healthcare industry is one of the most targeted industries for cyberattacks and data breaches, with 98% of cybercriminals’ motives being financially driven. Unauthorised access or misuse of this data can severely impact patients and lead to personal embarrassment, discrimination, fraud or even psychological harm.

Data Protection Requires Compliance

The UK has robust data protection laws and frameworks that are designed to protect sensitive health information and ensure its ethical and lawful use. This includes the UK GDPR and Data Protection Act which defines health data as special category data that requires additional safeguards for its processing and security. NIS2 also aligns with these laws as it mandates clear requirements for organisations to adopt robust risk management measures to help protect patient data from breaches, unauthorised access and other cyber threats.

Addressing these data protection requirements goes beyond ensuring regulatory compliance – it is key to building patient trust, driving sustainable improvements in care delivery, and fostering continued innovation in medical technology and healthcare services. A clear example of such innovation is the use of AI within the healthcare industry which is driving advancements in diagnosis, treatment, and efficiency. It is enabling earlier and more accurate detection of diseases through predictive analysis and medical imaging which is having positive patient outcomes.

In general, this presents a complex set of data protection challenges for healthcare providers to navigate. These challenges arise not only from the diverse nature of data processing activities, such as patient care, research, and administrative functions but also from the intricate relationships with partner organisations, suppliers, and third-party service providers. With AI, issues around transparency, establishing an appropriate lawful basis, and sharing of such data with third parties or various other health services come into question.

Moreover, non-compliance with these regulations and frameworks can result in severe consequences for healthcare institutions, including substantial financial penalties, legacy actions, and reputational damage. The harshest fines can reach up to £17.5 million or 4% of annual turnover for GDPR breaches yet the maximum fine in the UK in the healthcare sector to date has been €90,334, issued by the ICO to The Tavistock & Portman NHS Foundation Trust. Should an organisation be found non-compliant with the NIS2 framework, they may incur maximum penalties of €7,000,000 or 1.4% of the annual global revenue, whichever the greater amount if the institution is classified as an ‘important entity’. For ‘essential entities’, the fine could reach up to either €10,000,000 or 2% of the global yearly revenue, again, whichever is the greater amount. The NHS specifically has its Code of Confidentiality which guides NHS organisations around handling patient information and the Digital Data Security and Protection Toolkit which aids healthcare organisations review and improve data security practises.

Operational disruptions, increased oversight and costly remediation measures can further impact severe delivery and patient care. Failure to comply erodes trust among patients and partners, risks disqualification from contracts, and stifles innovation. Ultimately, robust data protection and cybersecurity are essential to maintaining patient safety, trust, and institutional resilience.

Outsourcing a DPO is an Option

Responsibility for ensuring data protection compliance typically falls on the shoulders of the Data Protection Officer (DPO) but because there is a shortage of skills within the data protection industry, finding a DPO that has the relevant experience or qualifications is a challenge in itself. Often, security professionals within the company, like the CISO, or Heads of Security, Legal or IT may include DPO responsibilities within their job roles, but this would generally be considered a conflict of interest (and therefore non-compliant). This is because, even if a DPO is recruited in-house, they may struggle to maintain independence from other business functions. There may also be budgetary restrictions in place – an issue well documented within the healthcare sector – where hiring a dedicated DPO will be difficult. As an alternative solution, it is recommended organisations obtain the DPO expertise through consultancy or DPO as a Service which can be full-time or on a part-time basis, according to demand.

DPO as a Service is a structured approach to enhancing data protection and compliance. It uses assistance and expertise from certified data protection experts to help the organisation review and prioritise its data protection goals. These experts can also help the business stay compliant with the law by offering guidance and overseeing adherence, playing a crucial role in the success of the data protection programme. The outcome is a thorough, cost-efficient, and fully accountable service that ensures compliance with all relevant policies, procedures, and legal obligations.

With the real threat of suffering a cyberattack, having a DPO – whether in-house or outsourced – is essential for healthcare organisations due to the sensitive nature of the data they handle. The industry has several regulations and laws that require compliance and address the need to safeguard patient personal data and mitigate the impact of suffering a data breach. By having a dedicated expert focused on data protection, healthcare institutions can build trust with patients, avoid legal penalties, and ensure the integrity and confidentiality of patient information. Thankfully, there are options available to those who don’t already have a dedicated DPO in place.

By Chris Linnell, Associate Director – Data Privacy at Bridewell

The post Addressing Data Protection and Security Effectively Within Healthcare appeared first on .

Healthcare providers must urgently review and update their email security strategies to protect patients and personnel from the rising tide of malicious emails.

Why healthcare is a prime target

While phishing is a common threat to most sectors, healthcare has become a favourite target. The industry’s extensive store of medical records makes for a very lucrative prize – in fact, research indicates that a single record can fetch up to 20 times the price of credit card data on the dark web. Medical records are stuffed with personally identifiable information (PII) that can be used to fuel further malicious activity, and much of this data is permanent, giving it a long shelf life.

The sector is also highly vulnerable to ransom and blackmail tactics. Criminal gangs will routinely threaten to leak sensitive medical records online unless the target organisation pays up. Disrupting essential healthcare services can have disastrous consequences for patients’ wellbeing and cybercriminals know that desperate organisations will pay a hefty ransom to halt an active attack.

Healthcare providers are also seen as something of an easy target – one that often struggles to find the budget and resources to keep their IT and security systems up-to-date. Healthcare’s vast ecosystem of third-party vendors also presents significant vulnerabilities, expanding the number of entry points criminals can exploit.

The impact of attacks on the healthcare sector has been demonstrated in multiple recent incidents including the Synnovis breach, which caused the cancellation of thousands of appointments, and the massive data breach suffered by NHS Scotland.

Why high staff turnover is an overlooked weak link

Alongside technical issues, the sector is particularly vulnerable to social engineering tactics like phishing due to its high rate of employee turnover.

Frequent onboarding of new staff means that many are unfamiliar with internal security protocols and communication patterns, making it easier for cybercriminals to carry out impersonation attacks. This also means employees are less likely to know their colleagues personally, making it harder to spot the impersonation tactics widely used in phishing.

Compounding this, healthcare professionals operate in high-pressure, fast-paced environments. When workloads are heavy and time is scarce, staff are more likely to open and act on emails without scrutinising them carefully.

The rise of sophisticated Vendor Email Compromise (VEC)

Most healthcare providers operate within vast and complex supply chain webs, with large numbers of third-party vendors, contractors, and others requiring regular access to IT systems. This leaves the healthcare industry highly exposed to an increasingly popular tactic known as Vendor Email Compromise (VEC).

Unlike traditional phishing, where attackers impersonate internal employees, VEC targets trusted third-party vendors. We have seen VEC attacks on healthcare surge by 60% in the past year alone.

In these attacks, cybercriminals will often impersonate trusted contacts using email spoofing techniques to hide their identities. More advanced attackers will go as far as infiltrating vendor email accounts with account takeover tactics, and then send malicious emails directly from the legitimate email account. Their goal is to manipulate ongoing communications to deceive healthcare staff into sharing data and login credentials or transferring funds to the attackers’ accounts directly.

Moving beyond employee awareness training

Increasing cyber threat awareness through employee training has long been a favoured tactic to countering these attacks. However, while still important, it is no longer enough to protect healthcare organisations from today’s sophisticated cyber threats.

Modern phishing attacks often appear highly realistic, especially in today’s generative AI era, where threat actors can quickly and accurately craft sophisticated emails that closely mimic trusted contacts. These attacks can not only easily evade detection by employees – even the most security aware employees – they can also bypass traditional email security tools. These tools are usually based on policies that look for known indicators of compromise, like malicious links or bad senders. By omitting these indicators and instead relying on social engineering, attackers are able to successfully compromise their targets without raising any red flags.

To counter these threats, healthcare organisations must adopt advanced security measures that extend beyond traditional awareness programs and email security technologies.

Solutions powered by machine learning and artificial intelligence have a major role to play against today’s modern phishing attacks. By learning and baselining “normal” email behaviour, these solutions can detect and block malicious anomalies before they reach an employee’s inbox. These systems continuously adapt to evolving threats, offering protection against even the most convincing impersonation attempts.

Layering technical solutions with ongoing training and phishing simulations provides the most effective defence. While it is valuable for personnel to be aware of common phishing tactics, they should not be expected to spot them reliably every single time.

The need for regulatory evolution

Regulatory bodies also have an important role to play in supporting healthcare providers as they manage the growing volume of cyberattacks. However, many compliance frameworks remain focused on legacy security issues, leaving healthcare providers vulnerable to new and fast-changing tactics like VEC and AI-assisted phishing.

Regulators need to ensure there are steps in place to frequently review the state of play in cyber threats to the sector, and update guidance and mandates accordingly.

Enforcing the implementation of specific processes like multifactor authentication and steering organisations towards stronger, behavioural-based email security will help to mitigate these threats. Prioritising vendor risk management and ensuring consistent cybersecurity protocols across the supply chain will also reduce the risk of VEC attacks.

A proactive future for healthcare email cybersecurity

It’s clear that cybercriminal gangs are only growing more aggressive and brutal in their attacks on healthcare, emboldened by the many successful raids we have seen over the last few years.

Implementing multi-layered defence strategies, including advanced AI-powered systems, will be key to countering VEC and other phishing threats. By combining technological solutions with tough regulatory frameworks and continuous staff training, healthcare providers can better protect their operations, sensitive data, and, most importantly, patient safety.

By Mike Britton, CIO at Abnormal Security

The post Countering the Rise of Email Threats Against Healthcare appeared first on .

Just last month, a cyberattack that impacted several London hospitals including King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust resulted in over 1,000 planned operations and 3,000 outpatient appointments being postponed. According to the founder of the UK’s National Cyber Security Centre (NCSC), this might not be an anomaly, thanks to the NHS’s outdated IT systems and lack of basic security practices.

Just like the infamous 2017 WannaCry attack, the incident serves as a reminder of the importance of data protection for healthcare organisations. With budget concerns and talent shortages rife throughout the sector, it’s easy to see why implementing robust cybersecurity strategies can slip down the priority list, however in today’s digital landscape, it is a necessity.

A costly business

Research released last year revealed that three in four (76%) healthcare organisations around the world have experienced a successful ransomware attack and two thirds (65%) have experienced data loss from other types of attack. almost half (43%) of those organisations consider data security as their primary risk. This comes ahead of economic uncertainty (39%) and the adoption of emerging technologies like AI (32%).

A cyberattack has the potential to destroy any business. When it comes to the healthcare industry, especially the UK’s National Health Service (NHS) which services a large portion of the population, an attack feels more personal. Its impact is widespread and unavoidable. At a base level, cyberattacks can disrupt medical services and cripple hospital operations. This is because, when systems are down, essential patient information is inaccessible. This can delay medical procedures and compromise patient care. It can also increase the risk of medical errors and negatively impact treatment outcomes.

Beyond this, cyberattacks also frequently result in hefty financial costs. Sometimes this is in the form of immediate ransomware payments, however, any prolonged downtime and recovery following an attack could also have an impact. In the healthcare space, it can be even more tempting to pay off the attackers, due to the sensitivity of the information they manage to get hold of.

Another implication which isn’t always considered is the impact a cyberattack will have in terms of patient trust. A cyberattack in which malicious actors manage to access sensitive data can lead to a loss of confidence in an organisation’s data safeguarding abilities and can seriously damage its long-term reputation.

Safeguarding the health industry against the inevitable

In today’s digital age, the question is not if a healthcare organisation will face a cyberattack, but when. With that in mind, those in the health sector must be ready to mitigate the effects and recover quickly. Here are some ways in which health organisations can improve their safeguarding and protect data from attackers:

• Implement a data backup and recovery plan designed for the safeguarding of essential health data and ensure business continuity. Backup processes should capture all critical data and be executed at regular intervals. Coupled with a swift recovery process, data backup and recovery help minimise downtime and ensure business continuity when data is lost due to malicious activities.
• Invest in cyber awareness training. Develop and implement an ongoing cyber awareness programme to educate the entire organisation on the latest cyber threats and the policies to avoid them. The programme should be continually updated to reflect emerging threats and remain a critical line of defense in identifying and thwarting potential cybercrimes.
• Deploying advanced security technologies like firewalls, anti-malware tools, and intrusion detection systems that use AI and machine learning for predictive threat analysis and response.
• Regularly stress test and break systems to identify where the weak points are. Often organisations – especially within the public sector – implement security strategies and then wait until an incident occurs to see whether their framework is effective. With the regularity of attacks in the current landscape, this cannot adequately anticipate the scale at which breaches are attempted.

The ability to deliver effective healthcare services relies on data. It is what enables nurses and doctors to diagnose their patients, it is what ensures that patients are not given medication that they are allergic to, and it is what helps us as a society to develop life-saving treatments and innovations. Unfortunately, attackers know this, and they are not above using it to their advantage.

Whilst facing cyberattacks is inevitable for healthcare organisations, losing data doesn’t have to be. Data protection strategies and cybersecurity tools can enhance defense mechanisms and improve the healthcare industry’s ability to respond promptly to emerging threats.

By Oliver Norman, Regional Vice President for UK & Ireland at Veritas Technologies

The post Safeguarding our Health -Why Data Protection is Key for Today’s Healthcare Organisations appeared first on .

There’s no question that the healthcare industry has become a prime target for cybercriminals, with organisations facing cyber threats that are escalating both in numbers and sophistication.

Thanks to the vast amount of sensitive patient data and the criticality of operations, it’s perhaps not surprising to learn that healthcare features in the top 3 most attacked industries in Q2 of 2024 at approximately 1,999 attacks per week. Not only is this figure 15% higher than last year, but there have also been several recent cyber attacks prominent enough to feature in the news.

Just this May in the UK, a ransomware group published over three terabytes of data stolen from NHS Dumfries and Galloway on the dark web. The type of data that had been stored about staff meant an increased risk of identity theft, with staff now advised to be on their guard.

Shortly following this case, another ransomware attack on the pathology services provider Synnovis caused significant disruptions in healthcare services, affecting major London hospitals. Since the attack began on June 3rd, a total of 1,696 elective procedures and 10,083 outpatient appointments have been delayed, affecting many patients who were scheduled for important medical care.

Cases such as these aren’t exclusive to the UK either. Last year the 23andMe cyber attack dominated headlines, with hackers gaining unauthorised access to the personal genetic information of nearly 7 million people, while the Change Healthcare data breach in February this year is estimated to have impacted approximately one-third of Americans and cost the parent company between $2.3 billion and $2.45 billion in 2024.

The incidents really highlight how serious the impact of a cyberattack can be, not only on patient care and staff security, but also on a company’s bottom line. The reputation of healthcare providers is also at risk. When patients believe their confidential information is not adequately protected, trust in the healthcare system simply erodes. And when patients may become hesitant to share sensitive information with their healthcare providers, the quality of care they receive could be compromised.

Thankfully, however, the cases I’ve mentioned are also driving healthcare organisations to become more vigilant about cybersecurity, with many looking at a range of strategies and technologies to protect sensitive patient data and ensure the continuity of care.

Advantages of adopting advanced encryption technologies

One of these technologies in question, amongst other cybersecurity tools including multi-factor authentication (MFA) and intrusion detection/prevention systems (IDS/IPS) – is encryption.

The healthcare industry has been using traditional encryption methods – where you essentially lock up your data in a secure “box” (the encrypted form) using a key – for some time now. However, the problem with this comes when you need to do anything useful with the data, like performing calculations or searches, in which case you must first “unlock” or decrypt it using the key. Once decrypted, the data is vulnerable, and if someone gains access to it during this phase, privacy is compromised.

Fully Homomorphic Encryption (FHE), however, is emerging as an encryption technology capable of providing unprecedented protection for healthcare data. Unlike traditional encryption methods, FHE allows computations to be performed directly on encrypted data. This means that patients’ electronic health records, genetic data, medical images, lab results, and other sensitive patient data, can be processed without ever exposing the raw data to potential attackers. Two specific FHE-based solutions have been recently developed within the Zama Bounty Program exploring the application of Machine Learning to DNA testing, proving that it is possible to build genetic testing applications that are encrypted end-to-end.

As well as ensuring personal health information remains confidential throughout its lifecycle, from storage to analysis, there are several additional advantages to  implementing encryption technologies like FHE in the healthcare sector including:

• Compliance with regulations: FHE facilitates compliance with stringent data protection regulations, such as GDPR in Europe or HIPAA (Health Insurance Portability and Accountability Act) in the US, by minimising the risk of data exposure. These regulations mandate the protection of patient information and encourage encryption as a safeguard against data breaches. In other words, FHE gives all institutions the superpower of full legal compliance by design by completely eliminating the risk of data breach.
• Secure data sharing: With FHE, medical organisations can perform computations directly on encrypted data, allowing them to securely share or collaborate on research, diagnosis, and treatment planning without the risk of exposing sensitive patient information. Essentially, FHE acts as a secure intermediary; allowing multiple parties to work with sensitive data without compromising its privacy opens up new possibilities for deriving valuable insights from healthcare data, all while adhering to stringent legal requirements.
• Fostering trust among healthcare providers and institutions: Streamlining the research and decision-making process, FHE fosters trust among healthcare providers and institutions, encouraging active participation in improving patient care.
• Improving patient-provider relationships: Patients are more likely to actively engage in managing their health when they know their sensitive information is protected. The trust established through FHE ensures that patients feel comfortable sharing their health-related data with healthcare professionals, leading to improved communication and better healthcare outcomes.
• Mitigation of insider threats: Since data remains encrypted even during processing, the risk posed by malicious insiders, as well as outsiders, is significantly reduced, as they cannot access or interpret the sensitive information either.

Challenges with implementing Fully Homomorphic Encryption in healthcare settings

Implementing FHE in healthcare settings seems like a no-brainer – and the healthcare industry is in fact currently exploring ways to integrate FHE into existing systems and workflows to maximise its benefits.But there are hurdles to overcome. The computational overhead historically associated with FHE, for example, has been shown to slow down data processing and analysis. Cryptography and computer science experts across academia and industry are currently working on developing faster and more practical FHE implementations by releasing cutting-edge software tools and hardware acceleration.

With these advancements, the end goal is to make FHE more accessible for real-world healthcare scenarios and to finally protect sensitive patient data once and for all.

About the author

Andrei Stoian, PhD, is head of the machine learning team at Zama. His main responsibility in this role is to oversee the development of Concrete ML, Zama’s privacy preserving machine learning toolkit based on fully homomorphic encryption. In the past, Andrei worked on machine learning tools and algorithms for video analytics and satellite image processing on embedded systems. Andrei has co-authored more than 20 papers about machine learning applications and holds several patents.

The post How Innovative Encryption Technologies could be the Key to Securing Healthcare Data appeared first on .

This increased complexity has made an already attractive cyber target even more alluring to threat actors, as they now have more entry points than ever before. With this in mind, there’s no surprise that the same SOTI study found almost three quarters of healthcare workers admitted to their organisation experiencing one or more data breaches since 2022.

We’ve seen this reflected in recent headlines, with the NHS declaring a critical incident earlier this year after it was hit with a huge ransomware attack. This was due to a breach on its partner Synnovis, which led to operations being cancelled and emergency patients having to be diverted elsewhere.

It’s clear that healthcare providers must switch up approaches to better monitor how data is being handled to minimise risk. But what is the current state of play and how can the sector get to the root of the problem? Let’s take a look.

Data Dilemma

Cybersecurity concerns are nothing new to the healthcare sector as it has long been a prime target for hackers, but according to SOTI, the concern is particularly high in 2024 with a third of healthcare professionals noting it their primary worry, up from 17% in 2023.

This growing awareness from employees could be explained by the sector’s desire to digitalise, with staff now needing to rely on more and more apps and devices than ever before.

The data that fuels these devices, from supporting with diagnosis to collating medical details, means the industry is collecting, storing and processing higher volumes of sensitive information than in previous years. All of this is appealing to cybercriminals as it can be sold on the dark web or even held to ransom, so it’s essential that data is protected and that the location and status of devices can be tracked.

The Legacy Battle

While there is a marked increase in digitalisation, healthcare workers are still losing over three hours per week to IT issues, according to SOTI’s study. A common cause being the continued use of legacy systems. Concerningly, almost two thirds (65%) of UK health workers believe their organisations are relying on outdated tools.

Legacy and outdated systems can come from layering complex technologies over many years, and any upgrades are often held back by lack of budget. While a complete overhaul may not be feasible, new technology integration into legacy and fragile infrastructures requires absolute confidence and accuracy with trusted partners to maintain security and compliance, and guarantee no downtime with immediate, real-time optimisation.

When apps and devices are a crucial part of providing lifesaving care to so many patients, downtime is something that the industry simply cannot afford. While it wasn’t an issue from legacy technology, the recent global IT outage was a stark reminder of the impact that any downtime can have on healthcare, as it left many hospitals without the tools needed to provide essential treatments.

It’s also key that organisations can remotely support devices to ensure they are working properly while on the go, and are updated with the latest patches to stay secure, yet one in five UK healthcare providers don’t currently have the capability as a result of legacy tech. Healthcare organisations need to manage their transition away from legacy tech in order to be innovative and to get ahead of potential issues. This can reduce the amount of time staff are spending trying to tackle the problem themselves and free them up to focus on patient care.

Getting it Right

Ongoing technological advancements in the healthcare sector are critical to effectively managing increased use of services and a fast and enhanced patient experience. But it’s essential that providers take a step back and evaluate all risks to ensure that defending sensitive data is central to every decision.

Whether it’s accidental or intentional, data leaks and downtime can have a devastating impact on the essential work that healthcare providers do every day. Our work with Newland EMEA, a provider of mobile computers and handheld scanners to the healthcare sector, strengthens patient care by securing the data scanned and collected on every device. A senior Newland executive recently commented on how doctors and specialists can now fully concentrate on patient care due to the highest possible levels of safety and compliance now being ensured by SOTI.

While it’s key that the healthcare sector doesn’t stunt growth or shy away from the use of AI or other innovations, it’s important that new projects are viewed through a security lens and that legacy technologies aren’t forgotten. At the end of the day, the best security approaches will look to increase visibility across the entire tech stack, use effective management solutions and support response teams while keeping patient care at the core.

By Stefan Spendrup, VP, Northern and Western Europe at SOTI

The post How the Healthcare Sector Can Digitise Securely in 2024 appeared first on .

However, this enthusiasm comes with significant security challenges. Immersive Labs’ recent study found that GenAI is highly vulnerable to manipulation and exploitation, even from non-technical people. In fact, 88% of participants in the research were able to manipulate GenAI bots to release sensitive information.

If healthcare organisations want to implement GenAI, they must enhance their understanding of the data these systems possess and the tactics that could be used to manipulate AI bots and implement the right safeguards. Addressing these vulnerabilities is crucial to protect sensitive patient data and maintain trust in these emerging technologies.

Tricks and tactics to outsmart GenAI bots

As GenAI becomes more integrated into healthcare, it’s essential to understand the risks associated with its use. The biggest issue that our study highlighted was that even those without a security background could easily manipulate GenAI chatbots into revealing sensitive information using straightforward but effective techniques, which significantly lowers the entry-bar for cybercriminals. In healthcare the risk is the potential exposure of patient data and other confidential information.

A technique such as role-playing is extremely effective when trying to manipulate GenAI bots into revealing sensitive information. By encouraging the bot to take on personas less concerned with confidentiality, manipulators can craft scenarios where sharing sensitive information appears justifiable.

For instance, consider a local GP with long appointment wait times and increasing patient complaints. The organisation might implement GenAI chatbots to reduce wait times and improve triage. The chatbot would ask patients about their symptoms and try to prioritise callbacks or appointments. Such chatbots would generally be trained on a vector database with transcripts of calls and online messages to base their responses on.

If this data set is not properly filtered for any PII or sensitive data before being provided to GenAI bot, attackers could exploit the inherent vulnerabilities of such systems to extract sensitive information.

An attacker could potentially ask the GenAI, “Has anyone reported symptoms of headache and loss of appetite?” If the chatbot replies, “Yes, on August 19th, Mrs. Jane Doe called with similar symptoms,” it has inadvertently disclosed private information.

This may seem like a relatively benign example, but it’s very plausible and the implications are far-reaching. Any data accessible to the GenAI system must be treated as “publicly accessible.”

Most developers will rely on prompt engineering to prevent this type of behaviour, providing explicit instructions not to reveal sensitive data, ignore specific instructions, or behave in specific ways. However, our research shows that no matter what instructions are provided, human ingenuity always wins in the end, and sensitive data can be revealed.

In addition to role-playing, manipulators often employ indirect tactics, such as dropping hints or asking leading questions, to persuade the information out of the bot. They might pose as event organisers or authoritative figures, exploiting perceived obligations or authority to elicit responses. By constructing these scenarios, manipulators effectively lower the bot’s programmed defences, making it more susceptible to revealing sensitive details.

These manipulative tactics are often subtle initially, with adversaries maintaining a neutral tone to avoid raising suspicion. However, if the bot resists, manipulators may escalate their approach, employing emotional appeals ranging from friendly persistence to more aggressive or demanding tones.

However, attackers can only exploit these weaknesses when GenAI systems are poorly designed or integrated. The manipulative techniques outlined above largely depend on prompt injection vulnerabilities and poor development practices.

Manipulating AI to extract sensitive information is a serious issue, particularly in healthcare, where it jeopardises confidential patient records. Such breaches can compromise patient privacy, disrupt business continuity, and endanger individuals’ well-being and safety.

Enhancing security for GenAI bots

Given the sophisticated methods used to exploit GenAI systems, adopting a comprehensive “defence in depth” strategy is vital for the healthcare sector. This approach involves layering multiple security measures to ensure that no single point of failure can be easily targeted.

Additional key protective steps include implementing data loss prevention (DLP) systems, enforcing strict input validation, and using context-aware filtering to detect and block manipulation attempts.

Such measures help to prevent the GenAI from being coerced into disclosing sensitive information.

Healthcare organisations should also develop clear policies governing the use of AI, crafted by a multidisciplinary team of legal, technical, information security, and compliance experts. These policies should address data privacy, security, and regulatory compliance, aligning with frameworks like GDPR or CCPA to protect sensitive data.

Additionally, establishing fail-safe mechanisms and automated shutdown procedures can limit the impact of any GenAI system anomalies. Regular data and system configuration backups are crucial for swift recovery in case of malfunctions or breaches.

Finally, a “secure by design” philosophy should be embedded throughout the GenAI development lifecycle. Adhering to security guidelines from bodies like the National Cyber Security Centre (NCSC) ensures that robust defences are built into systems from the outset rather than being added as an afterthought.

Future-proofing healthcare with GenAI in mind

As GenAI continues to transform healthcare, addressing its security vulnerabilities, particularly those related to manipulation, is crucial. Healthcare organisations must understand and guard against tactics that exploit GenAI, risking sensitive patient data and system integrity.

Implementing a “defence in depth” strategy, developing strong policies, and embedding security from the design phase are vital measures. By doing so, the healthcare sector can protect against sophisticated manipulations, ensuring that GenAI remains a secure and trusted tool for improving patient care and operational efficiency. Proactive security measures will help secure the future of digital health.

By Kev Breen, Senior Director Cyber Threat Research at Immersive Labs

The post The Cybersecurity Imperative: Protecting Healthcare Data in the Age of GenAI appeared first on .