Medical practice leaders attuned to cyberattacks, recovery after a rocky 2024

Cyber threats against medical practices and health systems have escalated in frequency and sophistication. After a disruptive 2024, leaders recognize the need to move beyond prevention and focus on robust response and recovery strategies to mitigate damage from cyberattacks.

From ransomware to insider threats, understanding how to effectively handle breaches is essential for protecting patient safety, maintaining operations, and preserving organizational reputation.

Despite the ongoing threats, most medical group leaders signal some degree of readiness to handle the threats when they manifest into attacks: More than half (54%) say they are somewhat confident their organizations would quickly recover from a cyberattack, while another 20% were very confident and more than one in four (27%) medical group leaders say they are not confident. The poll had 332 applicable responses.

When asked about adjustments to cybersecurity staff training in 2024, more than half (51%) reported increased training investments, while 47% noted it was about the same as years past; only 2% said staff training decreased in 2024.

• Practice leaders who were very confident were the most likely to report having increased training investments last year (70%), ahead of those somewhat confident (52%) and those not confident (38%).
• Practice leaders who were not confident in their organizations’ ability to quickly recover were the most likely to have the same level of staff training on cybersecurity (57%) compared to leaders who were somewhat (45%) or very (30%) confident.

Member-exclusive benefit

MGMA members enjoy exclusive access to our Cybersecurity in Medical Practices Playbook, a practical look at understanding HIPAA compliance and frameworks for protecting secure data against threats or accidental exposure.

The evolving threat landscape

The 2024 IBM Security Cost of a Data Breach Report found that healthcare continues to face the highest average cost per data breach for more than a decade, as sensitive patient data remains a prime target. A 2024 Sophos survey found that two-thirds of healthcare organizations had been hit by ransomware, marking a four-year high dating back to 2021. Worse yet, eight in 10 (80%) of all organizations surveyed by Sophos said it took more than a week to recover from ransomware. In the healthcare space specifically:

• More than one-third (37%) needed more than a month to recover.
• More than half that paid a ransom ended up paying more than originally demanded.
• Nearly all (95%) of healthcare organizations hit by ransomware said attackers attempted to compromise their backup systems mid-attack.

This year, practice leaders should anticipate increasingly refined tactics, including targeting unprotected endpoints and employee accounts to penetrate broader systems.

Additional resources

• “Averting crisis with a well-documented plan for EHR, RCM downtime” (MGMA Stat)
• “Crisis Averted: Effective Downtime Protocols for Your Revenue Cycle Operations” (Member-exclusive webinar, on demand)

Ransomware response and recovery

Ransomware remains one of the most damaging forms of cyberattack in healthcare, often leading to loss of immediate access to patient histories, lab results, and even life-saving equipment when a network is locked down. Effective and rapid ransomware response plans typically include:

1. Immediate isolation: Disconnect infected systems to prevent the ransomware from spreading. According to Health & Human Services (HHS) cybersecurity guidance, segmenting networks in advance helps contain an outbreak.
2. Data backup strategies: Maintain regular, encrypted backups stored onsite and offsite. Frequently testing backup integrity allows organizations to restore systems without paying ransoms.
3. Communication protocols: Establish a clear chain of command for internal notifications (incident response team, IT staff, and executive leadership) and external communication (patients, partners, and possibly law enforcement), including engaging public relations professionals early, to manage the reputational fallout.
4. Decryption or system restoration: Restore systems from clean backups if possible. In extreme cases with no alternatives, organizations might face the difficult choice of either paying the ransom (not recommended by law enforcement) or rebuilding from scratch.
5. Post-incident forensics: After containment and to prevent recurrence, investigate the breach to identify entry points and improve defenses.

Insider threats and phishing attacks

Not all breaches come from outside. Insider threats — whether malicious or accidental — can be just as devastating. Staff who inadvertently click on phishing links or send patient records to unauthorized parties remain a top concern for healthcare cybersecurity professionals.

Key recovery and response measures:

• Zero-trust access controls: Enforce the principle of “never trust, always verify,” and treat every internal user or device as a potential threat until properly authenticated.
• Regular training: Use frequent and updated phishing simulations to train staff in recognizing and reporting suspicious emails.
• Real-time monitoring: When possible, leverage AI to detect unusual user activities, such as sudden spikes in data access or downloading, and intervene quickly to mitigate damage.

Supply chain attacks

Healthcare organizations rely on a broad ecosystem of vendors for everything from billing services to connected medical devices. Supply chain attacks occur when malicious actors compromise these third-party partners to infiltrate a hospital’s primary network.

How to respond and recover:

• Vendor risk assessments: Rigorous evaluation of partners’ security practices can reduce the likelihood of infiltration.
• Network segmentation: Restrict third-party access to isolated environments.
• Mandatory security standards: Require critical vendors to adhere to stringent cybersecurity frameworks such as NIST or HITRUST.

Recovery and resilience

Recovery involves more than system restoration. A comprehensive post-incident review should cover:

• Root cause analysis: Identify vulnerabilities and strengthen defenses in those areas.
• Policy updates: Revise security policies and incident response protocols based on lessons learned.
• Staff debriefs: Communicate changes and raise awareness about new or evolving threats.

Over time, implementing best practices in cyber resilience — encryption, zero-trust networks, continuous security monitoring and ongoing staff training — will enhance an organization’s resilience and reduce the likelihood of future breaches.

JOIN MGMA STAT

Your contributions are vital to MGMA’s ongoing work to provide great resources, education and advocacy for medical group leaders. Sign up for MGMA Stat to make your voice heard in our weekly polls. Simply text “STAT” to 33550 or visit mgma.com/stat. Polls will be sent to your phone via text message.