Cybersecurity in Healthcare Insights: 11th December - 17th December


 

1. New federal grant launches specialized mHealth cybersecurity training.

Mobile health (mHealth) apps are booming, helping patients manage everything from diabetes to heart conditions on their phones. However, this convenience creates a massive security risk, as hackers increasingly target these apps to steal sensitive data. To fight this, the National Science Foundation has awarded a $400,000 grant to Dr. Honggang Wang at Yeshiva University’s Katz School. This funding will launch a specialized educational program designed to teach the next generation of cyber-defenders how to protect mobile health systems.

The program includes a new course with seven detailed modules covering critical topics like wearable device security and biometric protection. Beyond just theory, the project will build an experimental platform where students can practice fighting off cyberattacks in realistic scenarios. This hands-on training is vital because a breach in mHealth isn't just about data privacy; it can be life-threatening. For example, if a hacker compromises an automated insulin pump, they could alter dosages. This initiative aims to build a workforce capable of securing the future of digital medicine.

Read the original article at: https://www.yu.edu/news/katz/ai-expert-awarded-400000-nsf-grant-cybersecurity-research-mobile-health

2. Critical security flaws discovered in leading ultrasound and imaging software.

Security researchers have discovered serious vulnerabilities in GE HealthCare’s popular Vivid ultrasound machines and their associated software. These flaws act like unlocked doors, potentially allowing hackers to break into hospital networks. If an attacker gains physical access to these machines or the network they run on, they could install ransomware. This malicious software locks up the system, making it impossible for doctors to perform scans or access patient images until a ransom is paid, effectively paralyzing patient care.

The risks go beyond just financial loss. The identified weaknesses could allow attackers to steal sensitive patient data or even manipulate medical records, leading to incorrect diagnoses. While GE HealthCare has stated that current safety risks are controlled, the findings highlight a growing danger: medical devices are often the weak link in hospital security. Experts are urging hospitals to physically secure these devices, install software patches immediately, and separate these machines from the main hospital network. Taking these steps is essential to stop a digital attack from becoming a medical emergency.

Read the original article at: https://hitconsultant.net/2024/05/15/researchers-uncover-critical-vulnerabilities-in-ge-healthcare-ultrasound-systems-and-echopac-software/

3. Healthcare leaders shift strategy from prevention to cyber resilience.

For years, the main goal of hospital cybersecurity was simply to stop hackers from getting in. However, the massive cyberattack on Change Healthcare has forced the industry to accept a hard truth: total prevention is impossible. Security leaders are now shifting their focus to "cyber resilience." This means accepting that attacks will eventually happen and planning specifically for how to keep the hospital running while under siege. The goal is no longer just building higher walls, but ensuring the hospital can survive the breach.

This new strategy prioritizes "downtime procedures"—the manual backups and paper-based plans that staff use when computers go dark. In the Change Healthcare incident, organizations that practiced these emergency plans recovered much faster than those that relied solely on digital defenses. Leaders are urging hospitals to rigorously test their backup systems, ensuring they aren't just theories in a binder. By treating a cyberattack like a natural disaster, healthcare providers can ensure that patient care continues safely, even when the technology fails.

Read the original article at: https://healthsystemcio.com/2024/05/14/change-from-change-how-solid-cybersecurity-practices-can-prevent-catastrophic-attacks/

4. Healthcare IoT research prioritizes usability over essential security.

The "Internet of Things" (IoT) in healthcare—which includes smartwatches, heart monitors, and connected hospital beds—is revolutionizing patient care by providing real-time data. However, a new systematic review of research reveals a worrying trend: the rush to adopt these gadgets is outpacing the security needed to protect them. The study found that most current research focuses heavily on making these devices easy to use and efficient, often treating security and privacy as an afterthought rather than a core requirement.

This imbalance poses a significant danger. These devices collect deeply personal health data and transmit it over the internet, creating countless new entry points for hackers. If security isn't built in from the start, a simple smart sensor could become a gateway for a massive data breach. The review concludes that while the operational benefits of IoT are undeniable, the industry must pivot. Future development needs to prioritize "security by design," ensuring that patient data is locked down just as tightly as the physical devices are connected.

Read the original article at: https://www.mdpi.com/2227-9032/13/23/3157

5. Federal relief funding fails to reach most affected hospitals.

Following the massive cyberattack on Change Healthcare, which paralyzed billing systems nationwide, the federal government launched a relief program to help hospitals stay afloat. However, new research from the University of Minnesota suggests this financial lifeline missed many of those who needed it most. The study analyzed the distribution of funds and found that the money largely went to hospitals that were already financially stable and had large reserves of cash. Meanwhile, smaller hospitals and clinics, which operate on thin margins, received very little support.

The issue stems from how the relief program was structured. It was based on historical billing data that many smaller providers couldn't easily access or leverage during the crisis. As a result, the "safety net" worked well for big health systems but failed the vulnerable clinics that serve rural and low-income communities. The researchers argue that future relief efforts must be designed differently. Instead of a one-size-fits-all approach, funding should be targeted based on actual financial need to prevent essential community providers from collapsing during cyber disasters.

Read the original article at: https://medicalxpress.com/news/2025-12-impact-federal-relief-major-health.html

6. European hospitals identify third-party vendors as primary weakness.

A new report on cybersecurity in Europe has sounded an alarm: hospitals are moving too slowly to cut off hacked vendors. With European healthcare relying heavily on interconnected digital platforms for everything from prescriptions to imaging, a single hacked vendor can spread chaos across hundreds of hospitals instantly. The report found that while hospitals rely on these "upstream" vendors, only 13% have a tested "kill-switch" to immediately disconnect a compromised partner from their network.

The delay is dangerous. The study reveals that it takes the average hospital about 10 hours to fully revoke a vendor's access after a breach is detected—far too long to stop ransomware from spreading. Ideally, this should happen in under 90 minutes. This "time-to-revoke" gap is now considered a top risk for patient safety. The report urges hospital boards to treat their software vendors as critical infrastructure. To stay safe, hospitals must demand contracts that allow for immediate disconnection and practice these emergency cut-offs regularly, ensuring they can isolate their networks before an infection takes hold.

Read the original article at: https://www.newswire.com/view/content/europes-hospitals-cant-cut-off-hacked-vendors-fast-enough-new-cyber-22686241

 

Follow us on Instagram, Twitter, and Facebook to stay up to date with what's new in healthcare all around the world.

Comments

Post a Comment

Popular posts from this blog

Cybersecurity in Healthcare insights: 27th Nov- 3rd Dec 2025

Image
  New US federal security standards prompt healthcare cybersecurity overhaul Proposed updates to federal healthcare cybersecurity standards, introduced in late 2024, represent the first major overhaul of the HIPAA Security Rule in decades. These changes, aimed at addressing modern threats like AI and quantum computing, mandate that HIPAA-covered entities implement rigorous measures such as data encryption, multifactor authentication, and regular security audits. Crucially, they also require written procedures to restore critical systems within 72 hours of an incident. While necessary, compliance comes with a steep price tag, HHS estimates first-year costs at approximately $9 billion. This financial burden poses a significant challenge for smaller hospitals lacking the resources of large health systems. To bridge this gap, experts suggest leveraging staff augmentation through managed service providers (MSPs) and adopting AI-driven threat detection tools to enhance security without e...
Read more

Cybersecurity in Healthcare Insights: 20th Nov- 26th Nov 2025

Image
  Texas Senate Bill 1188 adds data-localisation, AI transparency and access controls Texas has introduced a stringent new healthcare data law, Senate Bill 1188, which significantly expands data protection requirements beyond federal HIPAA standards. The bill mandates that all patient data be stored physically within the United States, effectively banning offshore cloud storage for Texas residents' health records. Additionally, it enforces stricter role-based access controls, ensuring that only employees with a direct need for treatment, payment, or operations can access sensitive files. The legislation also targets the growing use of artificial intelligence in medicine. Providers must now disclose to patients when AI is used in their diagnosis or treatment. The bill imposes severe financial penalties for non-compliance, with fines reaching up to $250,000 for intentional violations involving financial gain. These measures signal a shift toward more aggressive state-level privacy reg...
Read more

Healthcare vendor breach: 1.2 million files alleged stolen—patients exposed

Image
  A significant data security incident involving a healthcare technology firm, Doctor Alliance (a HIPAA business associate) , has allegedly led to the theft of over 1.2 million patient files . The breach, claimed by a hacker demanding a large ransom, reportedly involved the exfiltration of 353 GB of data, including highly sensitive Protected Health Information (PHI) such as names, medical record numbers, diagnoses, treatment plans, and Medicare numbers. The company provides document management and billing services to numerous healthcare organizations, which explains the large volume of compromised records. This incident is a critical reminder of the acute risk posed by third-party vendors in the healthcare supply chain. These business associates often have access to vast datasets while lacking the robust security controls of the hospitals they serve. The exposure of medical records poses severe long-term risks for patients, including medical identity theft and insurance fraud , a...
Read more