In recent years, hospital breaches have dominated headlines and board-level discussions, shining a harsh light on cybersecurity and privacy vulnerabilities within clinical settings. Ransomware attacks targeting hospitals are becoming a daily threat, locking patient records, disrupting care delivery, costing institutions millions, and causing physical harm and death to patients. Yet, these incidents and targets are only the tip of the iceberg.
Beneath the surface of these headlines lies an expansive healthcare ecosystem — medical device manufacturers, pharmaceutical companies, insurers, mobile health applications and more — whose interconnected weaknesses can create a sprawling attack surface. Data, like an ocean current flowing through this icy expanse, is exposed at every depth, vulnerable to hackers navigating the unseen crevices.
Beyond hospitals: The ecosystem players at risk
Much has been written about this, but it’s worth emphasizing: while hospitals may be the most visible targets, the ecosystem’s deeper layers are equally perilous. Medical device manufacturers, for instance, produce equipment like pacemakers, infusion pumps, and MRI machines that increasingly connect to hospital networks. These devices, while revolutionary for patient care, often run on outdated software, lack basic encryption, and do not have access monitoring capabilities. A 2023 joint research project identified 993 vulnerabilities across 966 medical products, marking a 59% year-over-year increase from 2022, yet manufacturers face little regulatory pressure to prioritize security over innovation. Hackers can exploit these devices as entry points, turning a life-saving tool into a backdoor for ransomware.
Pharmaceutical companies, as another example, hold vast troves of sensitive data, which may include clinical trial records, patient registries, sensitive health information, and supply chain details. Their sprawling, and often global, operations rely on third-party vendors, continuing to amplify the risks. An incident or breach at a pharma giant may not only expose sensitive data; it can disrupt drug supply chains, delaying treatments and compounding human costs. Insurers and health tech firms, managing claims and telehealth platforms, add further layers of exposure. Each player typically operates in a silo, prioritizing their own operations over collective security, leaving the ecosystem cracking and fragile.
Consolidation: A double-edged sword
The healthcare industry’s rapid consolidation exacerbates these risks. Mega-mergers between hospital systems, clinical research organizations, insurers, and tech firms have created centralized data hubs — incredible sources of data to promote treatment and care delivery but are also prime targets for cybercriminals. A single breach in a complex entity, such as an integrated healthcare organization (functioning as a provider, payer, pharmacy, and providing services to other healthcare entities), can expose millions of records, far outstripping the impact of an attack on a standalone hospital. Take the 2023 Change Healthcare ransomware attack, which, due to its parent company’s dominance, affected approximately one-third of U.S. healthcare transactions. Consolidation streamlines care delivery but can also concentrate risk, turning a localized issue into a systemic disruption.
Centralization and consolidation can also breed compliance complacency. Large organizations often assume their scale and ability to recruit top performers equates to sophistication, yet sprawling networks — often cobbled together from legacy systems and acquisitions — can hide unpatched vulnerabilities. Smaller players, continually absorbed into the larger entity, bring their own unique practices and policies, adding strain to existing cracks. The bigger and more complex the entity, the harder it is to audit and assess every nook and cranny, leaving threat actors room to maneuver.
Where security and data protection falls short
Across this ecosystem, we frequently see one or all of the following: (1) the organization does not have an effective incident/breach response program in place; (2) the organization has difficulty measuring and responding to vendor and third-party risks; (3) breach prevention methods typically presumed to be mature are faltering; and/or (4) the organization has difficulty prioritizing resourcing to support tabletop and incident response exercises, which would prove invaluable in managing the inevitable attack.
In addition, too many organizations still rely on reactive strategies — patching systems or performing an audit or assessment after an attack, rather than proactively hardening them. Take for example, the risk when a medical device manufacturer pushes an update only when forced by regulators or litigation, leaving a hospital with insecure equipment and without the technical knowledge or expertise to make the appropriate updates.
Third-party vendors compound the stress. From cloud storage providers to billing software firms, these often-indistinct players handle all data types similarly, without considering how the data is comingled or whether specific types of data are secured differently than other types. According to a 2024 report, the number of individuals impacted by breaches involving business associates surged by 287% from 2022 to 2023, though responsibility for these incidents remains murky. Contracts rarely mandate specific, stringent security controls, and audits/assessments of vendors are typically reactive or ad-hoc. The healthcare ecosystem’s understandable reliance on outsourcing, while beneficial in many ways, has created a web of weak links, each a potential entry point for an attack.
As if we didn’t already have enough to worry about, human error adds a treacherous undercurrent, amplifying vulnerabilities. Organizations often fail to provide sufficient and appropriate training to staff that could help them recognize phishing lures — the bait that hooks a majority of ransomware attacks. An executive clicking a malicious link or a technician reusing a weak password can open the network to attacks, turning a single thoughtless mistake into a tidal breach. Multi-factor authentication (MFA), generally considered a sturdy reinforcement against such threats, remains underused and unenforced, generally citing cost, complexity, and staff frustration. Without robust education or basic defenses like MFA, we, humans, create substantial cracks in the iceberg, leading to greater cracks that technology alone can’t fully mend.
Solutions: Auditing the ecosystem
To stem the creeping thaw, healthcare must chart a new course through its cybersecurity and data protection iceberg, sealing the cracks before they splinter further. Piecemeal fixes won’t suffice; the ecosystem demands a collective reckoning at all levels: accountability, enforcement, funding, technology, expertise, and collaboration all play a role.
Comprehensive audits, compliance assessments, and incident response exercises are essential — not just of hospitals, but of every player touching sensitive data. Regulators have proposed annual compliance assessments and regular patch management, as well as requiring them to disclose vulnerabilities and timelines for fixes. Entities not covered by HIPAA or other federal rules should proactively implement appropriate controls, including audits and assessments extending to their partners and vendors.
In other words: the industry needs a cultural shift toward proactive security and data protection. Rather than treating policies and controls as a compliance checkbox, organizations should embed these measures into their DNA. This doesn’t come easily; it means investing in real-time threat monitoring, not just post-breach forensics, and means rethinking consolidation — perhaps incentivizing smaller, decentralized networks that limit the blast radius of an attack. Multi-party agreements to leverage blockchain or zero-trust architectures could secure data flows and minimize data manipulation risks between players, helping to ensure no single point of failure unravels the system.
Finally, collaboration is key. We too often see silos within a single organization, let alone across the ecosystem. Compliance leaders in particular — CISOs, Compliance Officers, Privacy Officers, Legal, Risk Management — must collaborate to share intelligence about threats and best practices and communicate information appropriately to leadership and boards. Remember: threat actors don’t discriminate by sector of office; neither should our defenses.
A call to action
The spotlight on hospital breaches has exposed a truth we can’t ignore: cybersecurity and data protection in healthcare is only as strong as its weakest crack. Medical device makers, pharmaceutical firms, health IT, privacy equity, research organizations, and consolidated systems all play a role in vulnerabilities, and their shortcomings can ripple outward, endangering patient data and trust. We must take an approach that considers and respects the ecosystem, which includes auditing and assessing our own organization as well as our partners and vendors, embracing proactive measures across services, and fostering collaboration. We can help to address cracks before the next wave hits. The stakes — privacy, care delivery, and lives — couldn’t be higher.
Photo: Traitov, Getty Images
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.