Negussie Tilahun, Ph.D.
International Health Information Technology (IHITM) Consultancy Group, USA
Date:
November 2025
Abstract
This review analyzes the cybersecurity threats faced by the U.S. healthcare system and offers recommendations for addressing these challenges. Establishing effective cybersecurity measures is a complicated endeavor that demands thorough planning and significant time for implementation. Once these measures are established, they must be consistently updated to keep pace with the continually evolving and sophisticated nature of cyber threats. Cyber threats on the US healthcare system worsened after the government’s policy changed to combat COVID-19 in 2020, which severely disrupted the supply chains essential for credentialing healthcare networks. The government relaxed its cybersecurity safegurads inorder to promote access to care but such measures heightened vulnerability to ransomware and related threats. There is no one-size-fits-all solution to the nation’s cybersecurity difficulties; instead, a proactive strategy is vital for safeguarding critical health information infrastructure through comprehensive, simultaneous measures. Such measures may include instituting mandatory minimum compliance standards, raising public awareness of cybersecurity threats, collaborating with technology companies, and strengthening international cooperation.
Introduction
Schneier (2018) describes cybersecurity as a continuous struggle between attackers and defenders. The inherent has increased global connectivity. In an era characterized by “internet + things + us,” all entities are interconnected through computers, creating a highly linked environment. This surge in connectivity stems from the transitioning of inherently insecure computers to online through the internet (Schneier, 2018). The internet was not originally designed for security, complicating efforts to protect computers. Consequently, new vulnerabilities regularly emerge, leading to increasingly sophisticated and hard-to-detect attacks.
A brief history of US government cybersecurity measures
Healthcare organizations are prime targets for cyber-attacks due to their management of sensitive patient data. In 2017, data breaches and related failures reportedly cost the U.S. economy around $3 trillion (Dobran, 2019). Since then, the frequency of cyber-attacks on healthcare has surged, particularly following the COVID-19 pandemic of 2020/21. The CTIL Dark team, which monitors the darknet and deep web for indicators of data breaches and cybercriminal activity, reported that hospitals and clinics were aggressively targeted by hackers and malware while the U.S. healthcare system focused on managing the pandemic (Zaidenberg, 2021). Ransomware groups such as Maze, Conti, Netwalker, REvil, and Ryuk have been identified by the CTI League as specifically targeting the healthcare sector. Research conducted by Lallie et al. (2021) indicated a spike in cybercrime incidents during the pandemic, with numerous unique cyber-attacks reported daily. Alerts from the U.S. Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA), and the UK’s National Cyber Security Centre (NCSC) noted that the relaxation of cybersecurity protocols during the pandemic created additional opportunities for criminal activities (America’s Cyber Defense Agency, 2020).The post-COVID-19 landscape sees an increased reliance on web-based applications for healthcare management, adhering to established data transfer protocols. However, many healthcare organizations continue using outdated systems, primarily static file storage and databases accessed through desktops and mobile devices, significantly contributing to ransomware vulnerabilities (Beazley Breach, 2019). Organizations that shifted to cloud-based solutions became vulnerable to cyber threats when they failed to encrypt data during transfers (Nguyen, 2021; Javaid et al., 2023).
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) oversees national cybersecurity efforts (Wolf, 2023). It serves as a coordinating entity, providing guidelines and collaborating with both the government and private sectors. The Department of Health is committed to ensuring a secure environment for sensitive data collected through its agencies, including the NIH (National Institutes of Health), FDA (Food and Drug Administration), CMS (Centers for Medicare & Medicaid Services), and CDC (Centers for Disease Control). These agencies follow various frameworks, such as HIPAA (Health Insurance Portability and Accountability Act), which organizations must adhere to (Dawson, 2019; Bronk & Conklin, 2022).
In 2011, the National Cyber Security Division (NCSD) of the DHS and the U.S. Department of Energy developed multiple scenarios prioritizing risks in the nuclear, chemical, and energy sectors, strategizing to mitigate cyber threats through a probabilistic risk analysis (PRA) approach. The Cybersecurity National Security Action Plan (CNAP), initiated by the Obama administration in 2016, was a comprehensive cybersecurity strategy informed by the 2011 risk analysis recommendations (Srinivas et al., 2019). CNAP addressed several critical issues: raising public awareness regarding the escalating threat of cybercrimes, enhancing cybersecurity protections, safeguarding personal information, and educating the public on digital safety. It also advocated for the formation of a diverse commission to propose stronger cybersecurity strategies, such as multi-factor authentication, reforming government IT practices, and developing a national plan to increase public awareness of cyber threats. To implement these recommendations, the U.S. government enacted new legislation and increased cybersecurity funding by 35% from 2011 levels. The Social Security Act (A-18-20-1130, 2019) requires each Medicare administrative contractor (MAC) to undergo an annual independent evaluation of its information security program. The Centers for Medicare & Medicaid Services (CMS) engaged Guidehouse, LLP, to assess MACs’ information security programs according to established procedures and provide annual progress reports to Congress. Hathaway et al., 2021 noted that Guidehouse identified a total of 125 security gaps across seven MACs for FY 2019, reflecting a 12% increase from the prior year. The cybersecurity landscape has seen little improvement post-COVID-19, as the U.S. healthcare system continues to grapple with persistent hacking challenges,while government responses to these threats tend to be defensive and often disproportionate to the risks posed by cyberattacks (Shostack & Dykstra, 2024).
Some measures to address the problem
It is essential to acknowledge that there is no singular solution to the cybersecurity challenges facing healthcare. An effective approach requires a comprehensive strategy that includes developing collaborative information-sharing networks and fostering sustainable awareness through transparency to build public trust. Proper management or mitigation of cybersecurity risks is vital at both organizational and individual levels, especially for healthcare institutions. U.S. healthcare organizations should adopt a robust IT security risk management policy that is continuously updated and refined. The following measures can enhance the security of U.S. health infrastructures:
i) Establish Mandatory Minimum Standards for Compliance.
The U.S. Department of Health should strive to create a secure and trusted environment across all agencies to safeguard sensitive information. Each agency, including the NIH, FDA, CMS, CDC, and ONC, manages vast amounts of extremely sensitive data daily. These agencies have developed their own cybersecurity protocols in compliance with NIS guidelines. This decentralized approach allows agencies to tailor their strategies to specific mandates. For instance, CMS focuses on Medicaid and Medicare insurance authorization and payments that are essential for 174 million Americans, whereas NIH concentrates on research and development. However, consolidating cybersecurity strategies under a unified organization could enhance efficiency and effectiveness in combating cyber threats to the U.S. healthcare system. Implementing the CIS 20 framework across all government agencies within a specified timeframe could streamline efforts. The challenge lies in the diversity of agency missions and their independence in crafting tailored solutions, complicating the unification under a single cybersecurity strategy.
ii) Expand Public Awareness of Cybersecurity.
Increasing public awareness is crucial for educating individuals about cybersecurity risks and encompasses various approaches (Shillair et al., 2022). A significant element involves training employees of healthcare organizations through seminars and workshops on threats such as phishing, ransomware, and social engineering. Instituting mandatory practices like software updates, two-factor authentication, and strong password policies can create a more secure work environment. Providing training on cybersecurity essentials and safe online practices can equip employees to recognize potential threats (He & Zhang, 2019). Employees should also be encouraged to report incidents when they occur. These initiatives can raise public awareness of cybersecurity, enabling individuals to better identify and respond to cyber threats, thereby minimizing the risk and impact of cyber incidents.
iii) Collaborate with Technology Companies.
An effective cybersecurity strategy should include partnerships with technology firms, as the private sector predominantly manages cyberspace. Users, businesses, civil society, the internet technical community, and academia all play vital roles (Choi & Dulisse, 2023). The initiative launched by the Obama administration in 2014 to engage private and public entities for the continuous monitoring and protection of critical infrastructure highlights the need for coordinated responses. Cybersecurity is not solely a concern for governments or large corporations; it necessitates collaboration across all sectors, including the public.
iv) Enhance International Cooperation.
Strengthening international partnerships in combating healthcare cybersecurity is essential (Isakov et al., 2024). Cyber attacks transcend borders, yet national governments’ jurisdiction is limited to their territories. A coordinated international response is needed to detect threats and mitigate their effects. International collaboration facilitates the sharing of resources such as finance, knowledge, strategies, and technologies that bolster a nation’s ability to thwart cyber-attacks. However, establishing international cooperation to tackle cybersecurity issues is fraught with challenges (Bechara & Schuch, 2021). Attributing cybercrime and malware is complicated due to the advanced technology hackers use to conceal their identities. Moreover, the absence of uniformity in privacy, personally identifiable health data, and cybersecurity laws across nations complicates matters. Consequently, actions deemed criminal in one jurisdiction may not be viewed similarly in another. Even when international laws are in place, extraditing a cybercriminal can be intricate, as countries may require specific legal agreements or treaties to proceed. Recent initiatives, such as the Budapest Convention on Cybercrime, aim to foster collaboration among countries by creating frameworks and agreements to facilitate cooperation and streamline legal processes in cybercrime cases.
Conclusion
The healthcare sector has become a primary target for the theft of medical information and lags behind other industries in securing critical data. The U.S. healthcare data system remains a significant target for cyber-attacks, despite government commitments to protect public privacy. Cyber-attacks can originate from both internal and external sources. Therefore, it is crucial to prioritize the training and development of a skilled cybersecurity workforce, alongside enhancing technological infrastructure, to prevent future crises. Substantial efforts are required to establish more effective cybersecurity mechanisms. Both the government and private sectors must invest in safeguarding healthcare technologies and maintaining patient confidentiality against cyber threats. International collaboration is vital, although significant challenges persist in creating cooperative efforts to combat cyber threats.
References
America’s Cyber Defense Agency (2020, April 8). COVID-19 Exploited by malicious cyber actors. Retrieved on 9/13/24 from https://us-cert.cisa.gov/ncas/alerts/aa20-099a
Beazley Breach Briefing (2020). Ransomware remains top cyber security threat for businesses Retrieved on 9/10/24 from https://www.globenewswire.com/news-release/2020/03/23/2004748/0/en/Beazley-Breach-Briefing-Ransomware-remains-top-cyber-security-threat-for-businesses.html
Bronk, C., & Conklin, W. A. (2022). Who’s in charge and how does it work? US cybersecurity of critical infrastructure. Journal of Cyber Policy,7(2), 155-174.
Bechara, F. R., & Schuch, S. B. (2021). Cybersecurity and global regulatory challenges. Journal of Financial Crime,28(2), 359-374.
Choi, J., & Dulisse, B. (2023). Techno-crime prevention: the role of the private sector and its partnerships with the public sector. In Handbook on crime and technology (pp. 359-374). Edward Elgar Publishing.
Dawson, H. (2019, June 27). The Most influential security frameworks of all time. Retrieved 9/3/24 from https://www.infosecurity-magazine.com/opinions/most-influential-frameworks-1-1-1/
Dobran, B.(2019). 31 Must-know healthcare cybersecurity statistics 2020. Phoenix Nap.
Hathaway, O. A., Kuehne, T., Michel, R., & Ng, N. (2021). Congressional Oversight of Modern Warfare: History, Pathologies, and Proposals for Reform. Wm. & Mary L. Rev.,63, 137.
He, W., & Zhang, Z. (2019). Enterprise cybersecurity training and awareness programs: Recommendations for success. Journal of Organizational Computing and Electronic Commerce, 29(4), 249-257.
Isakov, A., Urozov, F., Abduzhapporov, S., & Isokova, M. (2024). Enhancing cybersecurity: Protecting data in the digital age. Innovations in Science and Technologies, 1(1), 40-49.
Javaid, M., Haleem, A., Singh, R. P., & Suman, R. (2023). Towards insighting cybersecurity for healthcare domains: A comprehensive review of recent practices and trends. Cyber Security and Applications, 1, 100016.
Lallie, H.S., Shepherd, L.A., Jason, R.C., Erola, A., Epiphaniou, G., Maple, C., & Bellekens, X. (2021). Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Computers & Security,105(n.d.). Retrieved on 8/29/24 from https://www.sciencedirect.com/science/article/pii/S0167404821000729
Nguyen, C. T. (2021). Examination of cloud privacy & security regulations of electronic health records (Master’s thesis, Utica College).
Shillair, R., Esteve-González, P., Dutton, W. H., Creese, S., Nagyfejeo, E., & von Solms, B. (2022). Cybersecurity education, awareness raising, and training initiatives: National level evidence-based results, challenges, and promise. Computers & Security, 119, 102756.
Schneir, B. (2015). Click here to kill everybody security and survival in a hyper-connected world. W.W. Norton & Company Inc. ISBN 978-0-393-35744.
Shostack, A., & Dykstra, J. (2024). Handling pandemic-scale cyber threats: Lessons from COVID-19. Retrieved on 8/28/24 from https://arxiv.org/html/2408.08417
Srinivas, J., Das, A. K., & Kumar, N. (2019). Government regulations in cyber security: Framework, standards, and recommendations. Future Generation Computer Systems,92,178–188.
Wolf, B. (2023). Homeland security and cybersecurity. In Computer and Information Security Handbook (pp. 1331-1344). Retrieved on 9/2/24 from https://www.sciencedirect.com/science/article/abs/pii/B9780443132230000862
Zaidenberg, O. (2021, Feb 11). TTIL darknet report-2021. CTI League Exposes Darknet Activity from 2020. Retrieved on 9/1/24 from https://cti-league.com/blog/darknet-report-2021/