top of page

Learnings on Cybersecurity in Healthcare

By Hanna Edgren 


As a Venture Analyst exploring the intersection of healthcare and technology, I have been increasingly drawn to the role cybersecurity plays in safeguarding this industry. It often feels like there is a reticence to adopt technology in healthcare. Recent years have brought in a surge of digital transformation, often without the necessary safeguards. This dynamic has created a significant opportunity for innovative cybersecurity solutions to ensure better prevention, detection, and response. 


  1. In the face of growing and sometimes unavoidable attacks, cyber resilience is more important than ever. 

There is a growing understanding that cyberthreats are pervasive, becoming more advanced, and may be unavoidable. In 2024, there was a string of healthcare cyberattacks causing delays in patient care, compromised health data, and prescription backlogs. You can read more about this and how identity security plays an integral role in a blog from our portfolio company, AuthMind.  


Often, we focus on prevention or the CIA triad (confidentiality, integrity, and availability), particularly in a highly regulated industry like healthcare, but there is less attention devoted to the ability to react and make timely remediation decisions. There is growing concern over the precedent this sets and thus the increased likelihood for healthcare companies to be a target for attacks. There is a need, especially in critical industries like healthcare, to develop strategies for continued operations despite these attacks. 


  1. AI is an important tool and a new attack vector.  

If you think your employees are not using ChatGPT at work, you are probably wrong. In fact, IBM Institute for Business Value found that just 24% of current Gen AI projects have a component to secure the initiatives. In a panel featuring Richard Clarke at 2024 RSA Conference, he described the similarities between 2024 and the dawn of the internet in 1996. If you did not adapt your business to the internet era, you would be left in the dust. The result at that time was huge increases in productivity, but also the creation of cybersecurity. During the session, the general feeling was that the current wave of AI was somewhat akin to the dawn of the internet as we find ourselves in the nascent stages of understanding the risks and benefits for security. GenAI already has proven its potential for efficiencies, just as the internet once did, but lack of oversight and rigors of security protection will introduce significant content-related security risks to organizations. For now, many are approaching AI security as they would application and data security. However, a brand-new approach and solutions built specifically for the nuanced uniqueness of AI must be conceived and implemented. Beyond the concerns over securing AI, there is further work to be done on how AI is playing a role in cyberattacks (i.e. overwhelming systems and decreasing time to zero-day) and concerns about AI’s role in misinformation and deepfakes.  


  1. Secure! By! Design!  

At the 2024 RSA Conference, the (now former) U.S. Cybersecurity and Infrastructure Security Agency (CISA) Director, Jen Easterly, announced the Secure by Design Pledge. She said, “Our goal for the entire community is to shift the security burden from individuals and small businesses – in other words, end users whose business is not a technology development effort or cyber security – to technology manufacturers whose business it is, and who are in the best position to address and manage security risks from the start." The pledge states that software manufacturers will make a “good-faith effort” to work towards their outlined security goals and publicly document how they are achieving this progress. The pledge was signed by several big names including AWS, HP, Microsoft, IBM, and CrowdStrike. The healthcare industry relies on a patchwork of third-party vendors for security and IT, necessitating a secure by design approach when bringing innovation. Furthermore, the CISA pledge underscores the theme of public and private sector collaboration in building fundamental and reasonable expectations for security in the face of innovation.   


  1. Healthcare has a lot of catch up to do and policy will play an integral role.  

The U.S. Department of Health and Human Services (HHS) collaborated with the healthcare industry under the 405(d) Program to undertake a landscape analysis of cybersecurity resiliency of U.S. Hospitals. The report highlighted the increase in ransomware attacks and furthermore highlighted concern over end-of-life systems and software with known vulnerabilities. Medical devices and imaging devices often operate on outdated and legacy systems that do not receive updates. 


A 2024 report from Becker’s, found that medical records are selling for $60 on the black market compared to $3 for a credit card number and $15 for a social security number. This makes healthcare data a lucrative target. You may have received a letter from a healthcare organization notifying you of a breach this year -- over 32M U.S. patients were impacted this year alone, highlighting the pressing need for stronger measures.  


Recent events have spurred a proposed Health Infrastructure Security and Accountability Act (HISAA) which aims to establish minimum cybersecurity standards, enforce greater accountability, and provide funding to support adoption and investment in secure technologies. This proposed legislation is an important step toward modernizing healthcare infrastructure, not only to protect sensitive patient data but also to build trust in an industry where security has lagged. The stakes are high, and policy can help prevent further harm and lay the groundwork for a safer, more resilient healthcare system. 

____________ 


Black Opal Ventures has made two investments in cybersecurity to date – AuthMind, which ensures the protection of all identities through the AuthMind Identity Protection Platform and an undisclosed investment in AI content security.  

Comments


bottom of page