The State of Cybersecurity in Healthcare 2025: Insights from Echelon Experts
In this article, senior cybersecurity experts Josh Fleming and Steve Dyson share their commentary on the state of cybersecurity in healthcare, offering their perspectives on the risks posed by IoMT devices, the long-overdue updates to the HIPAA Security Rule, and the evolving governance landscape. Their insights highlight critical vulnerabilities and actionable strategies to strengthen cybersecurity resilience across the healthcare industry.
Introduction: Rising Cybersecurity Threats to Healthcare
The U.S. healthcare system faces unprecedented cybersecurity challenges in 2025. Hospitals, clinics, and health plans are under siege from ransomware gangs and other attackers, leading to a record number of data breaches and service disruptions. In 2023 alone, over 167 million individuals were affected by significant healthcare breaches – a new all-time high, more than ten times the number just five years prior (HHS, 2024). Federal officials warn that these cyberattacks are not just IT incidents; they directly threaten patient safety. "The increasing frequency and sophistication of cyberattacks in the healthcare sector pose a direct and significant threat to patient safety," cautioned Deputy Health and Human Services Secretary Andrea Palm (HHS, 2024). Industry leaders echo this concern. John Riggi, cybersecurity advisor to the American Hospital Association, testified to Congress in 2024 that "any cyberattack on the healthcare sector that disrupts, or delays patient care creates a risk to patient safety and crosses the line from an economic crime to a threat-to-life crime" (Riggi, 2024).
IoMT Device Security in Healthcare: Challenges, Risks, and Protective Strategies
Internet of Medical Things (IoMT) devices have become ubiquitous in modern healthcare, powering everything from patient monitors and infusion pumps to smart HVAC systems in hospitals. This Internet of Medical Things (IoMT) brings tremendous clinical benefits and expands the attack surface. Many medical IoMT devices were not designed with security, running outdated software or using default credentials (FBI, 2024). The FBI's cyber division warned that unpatched medical devices with weak security 'adversely impact healthcare facilities' operational functions, patient safety, data confidentiality, and data integrity' if exploited by threat actors (FBI, 2024).
The proliferation of IoMT devices in healthcare presents one of our most urgent security challenges. While these devices bring undeniable benefits—such as real-time patient monitoring and automated treatment adjustments, they are often deployed without fundamental security controls. Many legacy devices were designed with functionality as the priority, not security, making them attractive targets for attackers.
One of the most overlooked risks is the lack of centralized visibility into hospital IoMT ecosystems. Many organizations lack an inventory of all connected devices, leaving them unaware of potential vulnerabilities. Attackers know and exploit this, using IoMT devices as entry points for broader network compromises. In 2023, we saw ransomware groups leveraging unsecured infusion pumps and patient monitoring devices to pivot into hospital networks, causing widespread system outages.
Healthcare organizations must prioritize network segmentation, enforce strict access controls, and implement real-time anomaly detection to identify malicious activity before it leads to operational disruptions. It's also critical to push medical device manufacturers to adopt secure-by-design principles assuring that new devices have built-in security features such as encrypted communication, automatic updates, and multifactor authentication. The industry must shift from a reactive approach to proactively securing medical IoMT devices as part of patient safety initiatives.
HIPAA Security Rule Updates in Healthcare: Modernizing Compliance Requirements
As cyber threats mount, regulators strengthen the rules safeguarding health data. The HIPAA Security Rule, which sets standards for protecting electronic protected health information (ePHI), is undergoing significant updates for the first time in over a decade. HHS's Office for Civil Rights (OCR) issued a proposed rule in late 2024 to upgrade the HIPAA Security Rule and better defend the healthcare system against emerging cyber threats (OCR, 2024). OCR Director Melanie Fontes Rainer noted that the changes aim to address 'current and future cybersecurity threats' by requiring healthcare entities to update their safeguards to 'reflect advances in technology and cybersecurity' (OCR, 2024).
The modernization of the HIPAA Security Rule is long overdue. The current framework, established more than a decade ago, was built for a pre-ransomware, pre-cloud, and pre-IoMT healthcare system. Today, we operate in an environment where cybercriminals specifically target electronic protected health information (ePHI) due to its high black-market value. A single compromised medical record can fetch more than a stolen credit card number because of its richness in personally identifiable information (PII) and insurance details.
The proposed HIPAA updates emphasize proactive risk management, annual security audits, and enhanced reporting mechanisms. These are necessary changes, but the biggest challenge will be implementation, especially for smaller healthcare organizations that lack the resources of large hospital systems. Many regional clinics and private practices still struggle with basic security hygiene, such as regular patching and enforcing multifactor authentication.
To bridge this gap, we need incentives and financial support for smaller providers to comply—perhaps through federal grants or reimbursement programs for cybersecurity investments. HIPAA modernization should also encourage alignment with NIST frameworks to provide clear, actionable guidance for compliance. Finally, business associates and third-party vendors must be held to the same security standards as covered entities. A significant percentage of breaches occur due to vulnerabilities in third-party services, and without stricter oversight, attackers will continue to exploit these weak links. The Evolving Governance Landscape: Regulations, Standards, and Best Practices.
Evolving Governance Landscape in Healthcare Cybersecurity
Cybersecurity governance in healthcare is growing more complex and comprehensive as stakeholders at every level respond to escalating threats. Federal regulations remain the cornerstone – beyond HIPAA, which governs health data privacy and security, other federal initiatives are influencing healthcare cybersecurity in 2025. The Food and Drug Administration (FDA) now plays a pivotal role in securing medical devices, thanks to new authorities granted by Congress. Since 2023, the FDA has required that any 'cyber device' (a medical device with software or connectivity) include a robust cybersecurity plan in its premarket submission (FDA, 2024).
Cybersecurity governance in healthcare is evolving but still lags behind other critical infrastructure sectors. Unlike finance or energy, which have heavily regulated cyber standards enforced by federal agencies, healthcare has long relied on self-regulation and fragmented oversight. While HIPAA and FDA regulations provide a baseline, they do not go far enough in mandating real-time risk assessments, incident response exercises, or cross-sector collaboration.
One of the most pressing governance challenges is the lack of cybersecurity accountability at the executive level. Many healthcare boards still view cybersecurity as an IT issue rather than a patient safety concern. This must change. We need CISOs and cybersecurity leadership embedded at the highest levels of decision-making, with direct reporting lines to CEOs and Board Risk Committees.
Additionally, healthcare organizations must invest in cyber resilience, not just compliance. Too often, we see providers doing the bare minimum to meet regulatory requirements without considering how prepared they are for real-world cyber incidents. Governance should emphasize continuous improvement, red teaming exercises, and zero-trust architectures to prevent and respond to attacks effectively.
The federal government's increased involvement through CISA's cybersecurity performance goals and the FDA's cybersecurity mandates for medical devices is a step in the right direction. However, enforcement must be consistent and rigorous, with clear penalties for noncompliance. Ultimately, healthcare cybersecurity governance should be as stringent as clinical safety standards, ensuring that protecting patient data is treated with the same urgency as preventing medical errors.
Cyber threats will continue to test the resilience of America’s healthcare system. Still, the combination of stronger device security, updated regulations, and smarter governance provides a fighting chance to stay ahead of attackers. By securing IoMT devices, complying with modernized HIPAA rules, and embracing best practices, healthcare organizations can better safeguard patient data and ensure that malicious actors do not disrupt lifesaving care.
At Echelon Risk + Cyber, we partner with healthcare organizations to enhance their cybersecurity posture through tailored assessments, strategic advisory, and cutting-edge security solutions. Our experts help healthcare providers build resilience against emerging threats while maintaining compliance with evolving regulations. Learn more about how we support the healthcare industry here.
RESOURCES
-Federal Bureau of Investigation. (2024). Cyber threats to medical devices. https://www.fbi.gov
-Health and Human Services. (2024). Healthcare cyberattack trends and prevention. https://www.hhs.gov
-Office for Civil Rights. (2024). Proposed modifications to the HIPAA Security Rule. https://www.hhs.gov/ocr
-Food and Drug Administration. (2024). Cybersecurity requirements for medical devices. https://www.fda.gov
-Riggi, J. (2024). Congressional testimony on healthcare cybersecurity. https://www.aha.org