Cybersecurity in Healthcare

  1. New federal grant launches specialized mHealth cybersecurity training. Mobile health (mHealth) apps are booming, helping patients manage everything from diabetes to heart conditions on their phones. However, this convenience creates a massive security risk, as hackers increasingly target these apps to steal sensitive data. To fight this, the National Science Foundation has awarded a $400,000 grant to Dr. Honggang Wang at Yeshiva University’s Katz School. This funding will launch a specialized educational program designed to teach the next generation of cyber-defenders how to protect mobile health systems. The program includes a new course with seven detailed modules covering critical topics like wearable device security and biometric protection. Beyond just theory, the project will build an experimental platform where students can practice fighting off cyberattacks in realistic scenarios. This hands-on training is vital because a breach in mHealth isn't just about data pri...

 A new report on cybersecurity in Europe has sounded an alarm: hospitals are moving too slowly to cut off hacked vendors. With European healthcare relying heavily on interconnected digital platforms for everything from prescriptions to imaging, a single hacked vendor can spread chaos across hundreds of hospitals instantly. The report found that while hospitals rely on these "upstream" vendors, only 13% have a tested "kill-switch" to immediately disconnect a compromised partner from their network. The delay is dangerous. The study reveals that it takes the average hospital about 10 hours to fully revoke a vendor's access after a breach is detected—far too long to stop ransomware from spreading. Ideally, this should happen in under 90 minutes. This "time-to-revoke" gap is now considered a top risk for patient safety. The report urges hospital boards to treat their software vendors as critical infrastructure. To stay safe, hospitals must demand contract...

 Following the massive cyberattack on Change Healthcare, which paralyzed billing systems nationwide, the federal government launched a relief program to help hospitals stay afloat. However, new research from the University of Minnesota suggests this financial lifeline missed many of those who needed it most. The study analyzed the distribution of funds and found that the money largely went to hospitals that were already financially stable and had large reserves of cash. Meanwhile, smaller hospitals and clinics, which operate on thin margins, received very little support. The issue stems from how the relief program was structured. It was based on historical billing data that many smaller providers couldn't easily access or leverage during the crisis. As a result, the "safety net" worked well for big health systems but failed the vulnerable clinics that serve rural and low-income communities. The researchers argue that future relief efforts must be designed differently. I...

 For years, the main goal of hospital cybersecurity was simply to stop hackers from getting in. However, the massive cyberattack on Change Healthcare has forced the industry to accept a hard truth: total prevention is impossible. Security leaders are now shifting their focus to "cyber resilience." This means accepting that attacks will eventually happen and planning specifically for how to keep the hospital running while under siege. The goal is no longer just building higher walls, but ensuring the hospital can survive the breach. This new strategy prioritizes "downtime procedures"—the manual backups and paper-based plans that staff use when computers go dark. In the Change Healthcare incident, organizations that practiced these emergency plans recovered much faster than those that relied solely on digital defenses. Leaders are urging hospitals to rigorously test their backup systems, ensuring they aren't just theories in a binder. By treating a cyberattack l...

 The "Internet of Things" (IoT) in healthcare—which includes smartwatches, heart monitors, and connected hospital beds—is revolutionizing patient care by providing real-time data. However, a new systematic review of research reveals a worrying trend: the rush to adopt these gadgets is outpacing the security needed to protect them. The study found that most current research focuses heavily on making these devices easy to use and efficient, often treating security and privacy as an afterthought rather than a core requirement. This imbalance poses a significant danger. These devices collect deeply personal health data and transmit it over the internet, creating countless new entry points for hackers. If security isn't built in from the start, a simple smart sensor could become a gateway for a massive data breach. The review concludes that while the operational benefits of IoT are undeniable, the industry must pivot. Future development needs to prioritize "security by ...

Security researchers have discovered serious vulnerabilities in GE HealthCare’s popular Vivid ultrasound machines and their associated software. These flaws act like unlocked doors, potentially allowing hackers to break into hospital networks. If an attacker gains physical access to these machines or the network they run on, they could install ransomware. This malicious software locks up the system, making it impossible for doctors to perform scans or access patient images until a ransom is paid, effectively paralyzing patient care. The risks go beyond just financial loss. The identified weaknesses could allow attackers to steal sensitive patient data or even manipulate medical records, leading to incorrect diagnoses. While GE HealthCare has stated that current safety risks are controlled, the findings highlight a growing danger: medical devices are often the weak link in hospital security. Experts are urging hospitals to physically secure these devices, install software patches immedi...

 Mobile health (mHealth) apps are booming, helping patients manage everything from diabetes to heart conditions on their phones. However, this convenience creates a massive security risk, as hackers increasingly target these apps to steal sensitive data. To fight this, the National Science Foundation has awarded a $400,000 grant to Dr. Honggang Wang at Yeshiva University’s Katz School. This funding will launch a specialized educational program designed to teach the next generation of cyber-defenders how to protect mobile health systems. The program includes a new course with seven detailed modules covering critical topics like wearable device security and biometric protection. Beyond just theory, the project will build an experimental platform where students can practice fighting off cyberattacks in realistic scenarios. This hands-on training is vital because a breach in mHealth isn't just about data privacy; it can be life-threatening. For example, if a hacker compromises an aut...

Compromised OT devices pose major cybersecurity risk to hospitals   A new analysis identifies compromised Operational Technology (OT) devices as the single largest cybersecurity liability currently facing hospital networks. Unlike traditional Information Technology (IT) systems, OT encompasses the hardware and software that control physical equipment—ranging from HVAC systems and elevators to life-critical MRI machines and infusion pumps. These devices are often "legacy" systems running on outdated, unpatchable software, making them easy entry points for attackers looking to pivot laterally into sensitive clinical networks. The report highlights that while hospitals have aggressively hardened their IT perimeters, the OT environment remains largely invisible to standard security tools. Attackers are increasingly exploiting this blind spot to launch ransomware attacks that can physically disrupt patient care. The article argues for a paradigm shift in how healthcare organizatio...

  In a positive turn for the industry, a new report indicates a measurable decrease in critical cyber vulnerabilities within healthcare software, attributed largely to the wider adoption of guidelines from the Cybersecurity and Infrastructure Security Agency (CISA). The shift is driven by the "Secure by Design" initiative, which pressures software manufacturers to build security into their products from the ground up, rather than treating it as an aftermarket add-on. This includes eliminating default passwords and offering logging capabilities at no extra cost. The data suggests that shifting the burden of security from the end-user (hospitals) to the manufacturer is yielding results. As more vendors align with CISA’s voluntary pledges, the attack surface available to hackers is slowly shrinking. However, the article cautions that while software vulnerabilities are trending down, the human element—phishing and social engineering—remains a persistent challenge that technology ...

  This commentary explores the systemic vulnerabilities inherent in the highly interconnected healthcare supply chain. Modern healthcare delivery relies on a complex web of vendors, from electronic health record (EHR) providers to third-party billing services and cloud hosts. The article illustrates how "cracks" in this ecosystem—such as a security lapse at a minor vendor—can propagate across the entire network, causing cascading failures that impact major hospital systems. The "fourth-party risk" is highlighted as a major blind spot; hospitals may vet their direct vendors, but they rarely have visibility into the vendors their vendors use. To plug these cracks, the industry needs to move toward a collective defense model, sharing threat intelligence more freely and enforcing stricter security clauses in procurement contracts. The author posits that without a unified approach to supply chain security, patient data and safety will remain perpetually at risk from ind...

  Following a series of high-profile cyberattacks, the healthcare sector is facing an unprecedented escalation in digital threats that demands an immediate, coordinated response from providers. The article details how the threat landscape has shifted from simple data theft to sophisticated "double extortion" ransomware campaigns that threaten to leak patient data and paralyze clinical operations simultaneously. The fallout from recent breaches has demonstrated that cybersecurity failures are patient safety issues, leading to ambulance diversions and delayed procedures. The piece argues that the traditional reactive posture of healthcare organizations is no longer tenable. Providers must move beyond compliance-based security checklists and adopt proactive defense mechanisms, such as continuous threat exposure management and rigorous incident response drills. Furthermore, the article stresses the need for board-level engagement, arguing that cybersecurity can no longer be siloe...

  A study published in the Journal of the American Medical Informatics Association (JAMIA) raises serious concerns regarding the privacy standards of AI-powered mobile health (mHealth) applications. Researchers analyzed the privacy policies of numerous popular iOS health apps that integrate artificial intelligence features. The findings reveal a widespread lack of transparency: many apps fail to explicitly disclose how user data is utilized to train machine learning models or whether sensitive health information is shared with third-party AI vendors. The opacity of these policies poses a significant informed consent issue. Users often believe their data remains local or private, unaware that it may be aggregated to refine commercial algorithms. The study calls for stricter regulatory oversight and standardized labeling for AI-enabled health apps, ensuring that consumers can clearly understand the data trade-offs involved. For clinicians recommending these tools, the findings serve...