Healing Healthcare's Broken Cybersecurity Philosophy
In 2024, the healthcare industry faced an unprecedented cybersecurity crisis. Nearly 600 cyberattacks involving breaches of health data affected an estimated 259 million American citizens—meaning three out of four Americans had their private health information compromised. The largest of these, the UnitedHealth Group tech unit breach, alone impacted 190 million people.
As someone who has dedicated their career to cybersecurity, I find these numbers not just alarming, but unacceptable. We're not talking about simple data points; we're talking about infrastructure that affects human lives on an existential level. When a ransomware attack hits a hospital, it's not just an IT inconvenience. It's a matter of life and death.
Our conventional security paradigm is failing healthcare, and it's time we address the broken philosophy behind it. Despite following industry-standard frameworks and investing millions in cybersecurity tools, healthcare organizations remain vulnerable. The philosophy that has guided our defenses for decades requires a fundamental shift; one that protects patients, providers and the healthcare system as a whole.
The Current Cybersecurity Paradigm Is Failing Healthcare
The healthcare and pharmaceutical industries are under relentless attack, and with healthcare ranking as the third-most targeted sector for ransomware worldwide, the situation is dire and worsening. Last year, the average cost of a data breach in healthcare reached $9.77 million, but the impact goes far beyond financial damage. When a hospital's systems are compromised, patient care is directly affected. When private health data is leaked, it's not only a compliance issue but a violation of patients' most intimate information at their most vulnerable moments.
What makes healthcare such an attractive target? First, it's infrastructure that affects human lives on an existential level. Second, healthcare organizations hold vast amounts of confidential patient data and, in the pharmaceutical sector, valuable intellectual property. And third, in the context of cyber warfare, healthcare represents a soft target. Think of a country's defense as an armored warhorse—healthcare is an essential part of this structure, but it's not armored like military systems, so it becomes the “soft underbelly” vulnerable to attack. Hospitals are repositories where people naturally divulge deeply personal information, making them juicy targets for APTs seeking intelligence on military personnel, first responders and other key individuals.
Most concerning is the lack of protection for medical IoT and operational technology. These critical systems often follow the technology evolution path of "get it working, then optimize it, then secure it," but in healthcare, we often never reach that final security stage. With recent reports indicating that 92% of healthcare organizations experienced at least one cyberattack in the past year, it's clear our current approach isn't working.
Why Current Defenses Fail: The Detect-and-Respond Problem
To understand why cybersecurity in healthcare continues to fail, we need to examine the underlying philosophy that guides our defenses. Most healthcare organizations follow the NIST Cybersecurity Framework—identify, protect, detect, respond and recover. It's a solid framework, but the industry has disproportionately focused its innovation on the "detect" phase. Let me walk you through a typical attack chain to demonstrate:
- First, attackers gain initial access, perhaps through a compromised credential or a phishing email.
- Next, they move laterally through your network, evading defenses.
- Then comes the critical part: egress. They establish command and control, pivot to other systems and exfiltrate data—all before you've detected their presence.
By the time your threat detection technology alerts you, sensitive patient data is already gone. You can respond and recover all you want, but that data isn't coming back. The compliance violations and reputational damage are permanent, and the effects on patients whose private information has been exposed cannot be reversed. Some argue that artificial intelligence will solve this problem, but while we're applying AI to detection, adversaries are using it for malware creation and detection evasion. We've inadvertently created a generative adversarial network between the security industry and attackers, each side constantly improving against the other. The security industry gets better at detection, so malware gets better at evasion.
The result? We're still playing the same losing game, just with more expensive technology. The adversary still makes the first move, and by the time they do, the damage is already done. We need to stop doing the same thing over and over again and expecting different results. We need a new philosophy.
A New Philosophy: Zero Trust Connectivity
Instead of constantly racing to catch up with attackers, what if we could change the rules entirely? This is where Zero Trust connectivity comes in—an approach that moves us from detection-centered security to protection-first security. The core principle is simple but powerful: deny all connections by default and only allow those that are explicitly verified as safe. Rather than assuming systems are secure until proven compromised, we assume they're already compromised and only permit connections that pass rigorous verification.
When a device needs to connect to another system or website, the Zero Trust system first verifies both the requesting asset and the destination are legitimate and authorized. Once the exchange completes, the system returns to its default state, denying all connections. This approach offers several critical advantages for healthcare:
- Protection against unknown threats: By verifying what's good rather than identifying what's bad, we sidestep the impossible task of keeping up with constantly evolving threats. For every legitimate connection, there are approximately 7,000 potential malicious ones.
- Edge-based protection: This approach works at the network edge without requiring endpoint agents, crucial for protecting medical IoT devices like MRIs and surgical equipment that can't accommodate security software.
- Neutralized phishing attacks: Even if a clinician clicks a malicious link in a perfectly crafted phishing email, nothing happens because the connection to the attacker's server is automatically denied.
By moving from "detect and respond" to "protect and neutralize," we create a fundamentally different security posture that gives healthcare organizations a fighting chance against sophisticated threats.
A Call for Philosophical Change
Throwing more technology, more AI and more computing power at the problem won't solve it if we don't first address the fundamental flaw in our security philosophy. Zero Trust connectivity offers us a different path forward, one that aligns with healthcare's unique challenges and requirements. By denying all connections by default and only allowing verified ones, we can dramatically reduce our attack surface, protect patient data and safeguard critical medical systems. All that's needed now is the courage to embrace a fundamentally different way of thinking about cybersecurity, one that puts protection first.
Francois Driessen is the CO|MO and Co-Founder of ADAMnetworks. https://adamnet.works/