New Year’s Resolutions: Prioritizing Cybersecurity Preparedness in the Healthcare and Life Sciences Sector
The year 2024 marked a record year of cyber incidents in the healthcare space.1 Threat actors continue to target a data-rich environment and are growing increasingly more aggressive with little to no regard for how their actions impact patient safety and lives.
In FTI Consulting’s 2025 U.S. Healthcare and Life Sciences Industry Outlook survey, industry leaders, in line with last year’s results, reported an awareness of the challenges and reputational risks posed by cyber incidents.
Similar to last year’s survey, leaders identified cyber incidents/attacks as the second highest risk facing the industry.2 Notably, leaders placed cyber incidents/attacks as a higher threat than the uncertain political environment. This prioritization, especially considering 2024 was a presidential election year, underscores a clear recognition of the profound impact cyber incidents can have on the industry.
The survey concluded that leaders feel their organization is particularly vulnerable to malware and ransomware (59%, up +5% from last year) and incidents that involve privacy violations, (54%, up +5% from last year), and phishing (46%, up +5% from last year).3 The survey also found that the industry is aware of the wide range of impacts of cyber incidents. According to respondents, the top three biggest risks that a cyber attack or incident pose to the industry are data access/exposure (61% of respondents), impacts to patient care (52% of respondents), and financial costs (48% of respondents).
With cybersecurity risks escalating and incident rates increasing, healthcare and life sciences organization should embrace the following New Year’s resolutions to bolster their cybersecurity readiness in 2025.
Resolution #1: Refresh Incident Response and Crisis Communications Plans for Cyber Incidents
As threat actors grow increasingly aggressive, it is crucial that organizations have a cybersecurity and data privacy crisis plan in place. By responding promptly and in an organized fashion, you can protect patient safety, ensure continued access to care, keep key stakeholders appropriately informed, and limit reputational and legal risk. According to the U.S. Department of HHS’s Healthcare System Cybersecurity Readiness & Response Considerations, proper communication directly impacts a hospital’s ability to recover from a cyber incident.4 Developing a crisis management plan that clearly captures the roles and responsibilities in the response process – including IT teams, your leadership team, and communications team – is essential to this plan.
Resolution #2: Prepare for Extended Downtime
For healthcare providers experiencing ransomware attacks, ongoing downtime is a common outcome; the length of that downtime can create additional strain on staff, continuity of care, and organizations’ bottom lines. According to a report by Comparitech.com, U.S. healthcare organizations lose an average of $1.9 million per day during a ransomware attack, amounting to a staggering $21.9 billion in total annual losses across the industry.5
An essential component of preparedness is providing staff and leadership with comprehensive training on extended downtime procedures. Ensuring your team is equipped to deliver safe, high-quality care during system outages that could last several weeks is critical to maintaining patient safety. These trainings, combined with access to the necessary resources during network disruptions, form a vital safeguard. Investing in robust training and resource planning can help mitigate these escalating costs while ensuring operational resilience in the face of cyber threats.
Resolution #3: Stay Informed About the Evolving Threat Landscape
We know threat actors are continuing to become more aggressive and sophisticated with their cybersecurity attacks in the healthcare sector. From major supply chain attacks with breach impacting millions of individuals, to ransomware threat actor groups finding new ways to extort victims, the threat landscape continues to intensify for the sector. It is critical for healthcare organizations to stay informed on the lessons learned from these incidents, keep abreast of different threat actor groups’ ways of operating ensure staff receive the training needed to strengthen defenses and prevent future attacks.
Resolution #4: Prepare for Proposed HIPAA Security Rule
In December, the U.S. Department of Health and Human Services (HHS), through the Office of Civil Rights (OCR), issued a proposed rule that would modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to better protect the healthcare system from cyber attacks, given the recent increase in rates.6 Specifically, the rule would require health plans, healthcare clearinghouses, and most healthcare providers and their business associates to strengthen their protection of individuals’ electronic protected health information.7 It is important that leaders in the healthcare space understand how this rule can impact them and their organization and discuss any potential policy and protocols needed to ensure compliance.
Resolution #5: Monitor Regulations Affecting AI and Protecting Patient Data
The American Privacy Rights Act of 2024 is a bipartisan bill introduced in April 2024, aimed at establishing a national framework for data privacy and security.8 If enacted, the bill would have significant implications for the healthcare sector, particularly in protecting health-related data, regulating AI in healthcare, and empowering patients with greater control over their health information. Notably, the Act defines “sensitive covered data” to include health information for children under 17, providing additional protections for this demographic.9 While progress on the Act has been limited so far, it remains a critical development that healthcare leaders should closely monitor.
With 2025 projected to be a crucial year for cybersecurity in the healthcare and life sciences industry, now is the optimal time to invest in preparedness measures. Learn more about how we can help and contact our experts for an assessment to fortify your cyber crisis response plan.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.
FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political and regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2025 FTI Consulting, Inc.
All rights reserved. fticonsulting.com
References
[1] “Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information.” U.S. Department of Health and Human Services Office for Civil Rights, (January 27, 2025) ocrportal.hhs.gov/ocr/breach/breach_report.jsf
[2] Robert Stanislaro, Lauren Crawford Shaver, Jim Polson, James Condon, Jamie Singer, Ben Herskowitz, Helen O’Gorman, Cady Hoffman and Ronelle Green, “The Bounce Back: Unlocking the Healthcare and Life Science Industry’s Potential in a Time of Change,” FTI Consulting, Inc. (December 18, 2024), https://fticommunications.com/2024-healthcare-life-sciences-industry-outlook-biopharma-at-crossroads/
[3] Id.
[4] “Healthcare System Cybersecurity Readiness & Response Considerations,” U.S. Department of Health and Human Services (October, 2022). https://files.asprtracie.hhs.gov/documents/aspr-tracie-healthcare-system-cybersercurity-readiness-response.pdf
[5] Paul Bischoff, “On average, US healthcare organizations lose $1.9 million per day to downtime from ransomware attacks,” Comparitech.com, (December, 18, 2024), https://www.comparitech.com/news/ransomware-attacks-hospitals-data/
[6] Hipaa Security Rule NPRM, HHS.Gov, (December 27, 2024), www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html
[7] Id.
[8] The American Privacy Rights Act, Congressional Research Services, (May 31, 2024), https://crsreports.congress.gov/product/pdf/LSB/LSB11161
[9] Id.
