Digital doctoring: the importance of cybersecurity in healthcare
Oliver Cuenca explores the issues caused by poor cybersecurity and what healthcare providers can do to address them
Healthcare organisations are under siege. As digital transformation accelerates across hospitals, clinics, and insurers, so too does the complexity – and fragility – of their cyber defences. From outdated IT infrastructure to the unchecked rise of generative artificial intelligence (AI) tools, the sector faces a perfect storm of vulnerabilities that threaten not only data integrity but patient safety itself.
Key vulnerabilities
Oleg Gorobets, a security expert at cybersecurity firm Kaspersky, noted that the healthcare sector was “uniquely exposed” to digital threats, “because it combines legacy IT systems, connected medical devices, and third-party suppliers into a single ecosystem”.
He also warned that while ransomware was often the most visible threat “because downtime immediately affects patient care, and makes organisations a prime threat”, there were other, equally concerning dangers that are often overlooked. Most notably: “Stolen credentials – which can open the door to claims platforms and patient records,” Gorobets explained. “Add to that the dependence on external labs, billing services, and cloud vendors, and a single weak link can trigger widespread disruption.”
A spokesperson from Varonis, citing the company’s 2025 State of Data Security Report – Healthcare & Life Sciences, described the growing and frequently unrestricted use of AI as a key security concern. In particular, the use of so-called ‘shadow AI’ – when employees use unauthorised generative AI applications without oversight or potentially the knowledge of the company – presents a
“major risk to data security”. They noted: “Employees can accidentally leak sensitive or confidential data using shadow AI, [while] organisations may be fined if these apps fail to comply” with data security regulations such as the US Health Insurance Portability and Accountability Act (HIPAA), and the European Union’s General Data Protection Regulation (GDPR).
Additionally, such applications can remain risky even if no users have logged into them for weeks or months. Varonis stated that despite such apps being “stale”, they “still have permission to access sensitive data”.
Varonis data suggests that around 64% of healthcare organisations have employees using unsanctioned apps, including shadow AI.
Beyond this, even authorised uses – if poorly applied – can pose a risk to healthcare providers’ security, the Varonis spokesperson added, noting that “as more organisations develop AI processes and products, the data used to train them is at risk from breaches and attacks”.
Training data – typically stored on cloud-based servers – is inadvertently exposed to confidential information. This can lead to unauthorised access by the AI’s users, compromising the solution’s integrity and security.
The spokesperson added: “With vast volumes of sensitive information and scores of users to manage, cloud data security can be challenging at scale. Our analysis showed that cloud data, including unmasked data and exposed buckets, is largely overexposed and underprotected.”
Varonis data suggests that around 64% of healthcare organisations have employees using unsanctioned apps, including shadow AI
More egregiously, some AI solutions may be at risk of “model poisoning” – when attackers deliberately manipulate the AI model’s training data to corrupt its performance.
“This happens when a malicious user gains access to the model’s cloud resources, such as containers, storage accounts, and databases, and can write to or modify those resources without triggering alarms,” they said. “Model poisoning can lead to dangerous outcomes – imagine an attacker modifying payment information details used in a model. Unaware, the company deploys the model. When users ask for the vendor’s bank details, they are provided with the bank details that the attacker injected.”
Why healthcare is such a high-risk sector
Citing Kaspersky’s latest IT Security Economics report, Gorobets warned that the healthcare sector remained underfunded, relative to the threats it faces from cyberattackers. He noted that in an average IT budget of US$5.4 million, only around $0.6 million was dedicated to cybersecurity.
Additionally: “Despite experiencing an average of 18 security incidents in 2024, the sector’s overall security maturity remains low, with efforts often concentrated mainly on training,” he added. “The average losses of $1.8 million (twice their security budget) reflect this gap – particularly as these industries face incidents involving malware, public cloud vulnerabilities, and high-permission breaches.”
Gorobets continued: “Detection and response times often span weeks, leaving these organisations exposed to prolonged risks. Cyberattacks can delay diagnoses, cancel operations, and compromise patient safety. At the same time, they expose some of the most sensitive data people hold: their medical history.”
He warned that this combination of factors could result in serious harm to the healthcare provider’s reputation, adding that once trust is lost, it is difficult to rebuild.
“Institutions may recover their systems, but rebuilding public confidence, regulatory standing, and financial stability takes far longer,” Gorobets said.
The Varonis spokesperson added that many healthcare organisations – and many organisations in general – found it difficult to keep up with securing identities and managing permissions. “A single user can gather dozens of roles and group memberships,” they said. “Meanwhile, understaffed IT and security teams often struggle to revoke unused or unnecessary memberships when users change roles or leave.”
They added: “Our 2025 State of Data Security Report shows that organisations have fallen behind in managing permissions and securing identities – particularly non-human identities like APIs [application programming interfaces] and service accounts. Poor management and excessive privileges [can] lead to unauthorised access and data breaches.”
What improvements can be made?
To combat the risk of such attacks, Gorobets argued that the most effective steps a healthcare provider could take were often also the most fundamental and practical ones.
“Firstly, proper hardening of the IT system is foundational,” he said, adding that alongside the timely management of all identified vulnerabilities, “the basics” should include:
- Segmenting networks – so that attackers cannot move freely
- Enforcing multi-factor authentication (MFA)
- Ensuring that critical systems are backed up securely, and tested for recovery.
However, Gorobets added: “While having solid mainstay protection for all infrastructure levels is essential, those attacking healthcare institutions are often smart enough to look as normal as possible for typical prevention-class automatic countermeasures. So, extended detection and response tools are what can enable IT security teams to identify elusive threats amidst background noise and respond before they spread.”
He also noted that cybersecurity awareness education was of the “utmost importance” in environments such as healthcare facilities, “where the cost of a human error is pretty high”.
Cyberattacks can delay diagnoses, cancel operations, and compromise patient safety
Gorobets concluded by stating that the quest for cyber resilience “must go beyond your own organisation – which means scrutinising supplier security and planning for outages across the broader ecosystem.
“Probing the regular, deep, and dark web for indicators of unhealthy activities around both the institution and its key suppliers might well result in a timely putting of all defences to the state of high alert – and, therefore, preventing the worse from happening,” he said.
Varonis also recommended that healthcare providers who were looking to incorporate AI into their operations should be proactive in taking steps to secure their critical information.
In particular, companies should “assume that breaches will occur”, and proactively work to decrease the potential damage an attacker can do with just one stolen identity.
“Aim to minimise your blast radius by continuously monitoring data and remediating issues, locking down permissions and access to prevent identity-based attacks, and monitoring AI co-pilots, chatbots, and agents to prevent exploitation and misuse,” the spokesperson said.
Additionally, they advised that healthcare firms should employ a “holistic approach to data security”, ensuring that all aspects were being considered, and added that despite the potential risks of AI, they were not advising people to avoid it completely – rather, companies should ensure that they “use AI for good”.
Indeed, appropriately used, AI can be a “powerful tool for defenders”, allowing IT and security teams to “accurately identify, classify, and label sensitive information across large data sets, remediate vulnerabilities … and catch malicious insiders and abnormal behaviour that indicates an attack”.
Gorobets highlighted the enormous importance of cyber insurance as a means to strengthen a healthcare provider’s security posture. “In healthcare,” he said, “where downtime can lead to cancelled treatments and disrupted claims, [cyber] coverage is essential.”
Gorobets added that an effective cyber policy would focus first on “breach containment and rapid system restoration – the steps most critical to maintaining vital business processes”. After helping to re-establish control, such policies then “extend to the wider costs of managing an incident, including forensic investigations, legal advice, patient notification, and business interruption losses”.
However, he noted that as cyber insurance has come to play a greater role in organisations’ overall security, the counterpoint is that insurers now require evidence of “strong controls such as MFA, endpoint detection, and resilient backups before they will underwrite at favourable terms”.
Conclusion
In an era when digitalisation is increasingly reshaping healthcare – often faster than those working in the sector can get a handle on the implications of this new technology – the risk of exposure to cyber threats has never been greater. Legacy systems and shadow AI, combined with frequently under-resourced security teams and sprawling third-party ecosystems, can leave openings for attackers.
However, a holistic approach to security, careful planning, and a thorough and proactive approach to best practice can go a long way towards containing and combatting these threats before damage is done – to both internal systems and public trust.
December 2025
Issue
In this issue of ITIJ we examine breaches of cyber security in the healthcare sector and ask what can be done to prevent them, share travel predictions, including risks and hotspots, for 2026, and look at the global implications of changes in international student travel.
Oliver Cuenca
Oliver Cuenca is a Junior Editor for Voyageur Group, joining in 2021. He writes for both ITIJ and AirMed&Rescue, covering a range of topics including international travel and health insurance, medical assistance provision and air medical transportation. He also serves as Title Editor of the Assistance & Repatriation Reviews. Oliver holds an MA in Magazine Journalism from Cardiff University, as well as a BA in English with Creative Writing from Falmouth University.
February 2025
Issue
Offering readers a deep dive into the issues facing providers and payers of healthcare services around the world. Cost containment, international patient department development, the role of AI in healthcare delivery and more.