Digital Health
Digital Health’s Cybersecurity Conundrum
I've started labeling cybersecurity as the "Achilles' heel" of digital health. Across meetings, workshops, and events, Sg2 experts have touted the opportunities that telehealth, AI, and other digital technologies can bring to health care, but cybersecurity risk always pumps the breaks on those discussions. It's the looming dark cloud. The elephant in the room. A digital skeptic's favorite topic to bring up during a Q&A session.
The concern about cyber risk is fair and valid. You've seen the weekly headlines about cyberattacks in health care—your organization has likely already been impacted by a breach in the past few years. According to a recent Sophos survey of 402 health care IT and cybersecurity leaders, 67% of health care organizations were hit with ransomware in 2024, a significant jump from 34% reported in 2021. Cyberattacks are becoming more frequent, targeting institutions of all sizes, and will likely start to incorporate more advanced generative AI as hackers seek to capitalize on health care's lagging security posture compared to other industries.
What makes cybersecurity the Achilles' heel of digital is that as hospitals and clinics continue their journey to digitize all aspects of the business, they run the risk of encountering a breach that can knock entire systems offline. This can result not only in disruptions to getting paid, like what we saw in the Change Healthcare breach, but it can also pose a direct risk to patient safety.
So if a breach can knock our digital systems offline in an instant, are we always at the mercy of cybercriminals? Are we wasting time and money by investing in technology when our staff can't function without such tools?
Not quite—below are some considerations to address these concerns.
Digital systems may introduce points of vulnerability, but they can also be used to strengthen cybersecurity efforts
Ironically, while many health care executives have expressed concern that digital investments are expanding the surface area or entry points for cyber threats, such technologies may be the best measures hospitals have to defend themselves. For example, some of AI's core benefits include its 24/7 availability, real-time monitoring, and the ability to assess and detect patterns across massive datasets. Using AI allows health care organizations to experiment with new approaches to cyber defense, including:
- Ongoing threat prediction, detection and prioritization
- Analyzing attack patterns for faster tactical response planning
- Automating audits and compliance tasks
- Augmenting newer approaches to security, like homomorphic encryption or differential privacy models
- Enhancing vendor / third-party risk assessments
- Generating phishing campaigns for staff training programs
It's not just that AI offers superhuman speed and scalability, but that many health care organizations simply don't have enough internal cybersecurity talent to keep up with existing threats. Technology can help address this skills gap, empowering your workforce to better manage ever-growing cyber risk.
It's not just a matter of technology
Every hospital should have a cybersecurity resilience plan in place to ensure that they can continue to operate even if systems are temporarily compromised. The goal is to make sure that digitized systems are both protected and recoverable. Building redundancies into digital infrastructure, like offline backups and cloud storage, helps ensure that even if a cyberattack happens, the impact on operations and patient care is minimized.
However, the cyber resilience equation is composed of more than just technology, and includes additional factors related to managing an organization's people and processes for a more holistic approach to cybersecurity (see graphic below).
We can't use cyber risk as an excuse to stall progress
Cyber risk is not going away, but neither is the need for modern, efficient health care. Cybersecurity is a real and ongoing challenge, but it's one that can be managed and mitigated through proactive, intentional strategic planning, just like any other operational risk.
And while some stakeholders may think that digital transformation makes health care organizations more vulnerable to attack, we should place more energy on improving cybersecurity resilience rather than wringing our hands about everything that could possibly go wrong with implementing new technology. To argue that the mere presence of risk means we should stop our progress in digitizing health care is shortsighted—that would be like saying we should do away with online banking and revert to only using cash again because fraudsters exist.
Besides , if bad actors are already exploring ways to use AI to their benefit, shouldn't we be actively exploring ways to use the same technology to counteract their efforts? Inaction is not a winning strategy in an AI arms race.
Instead, let us leverage emerging digital capabilities to ensure our systems can be encrypted, replicated, and secured through firewalls, multifactor authentication, and AI-enhanced continuous monitoring—giving health care organizations a fighting chance of safeguarding critical data and building robust disaster recovery plans to maintain operations.