As the healthcare industry continues to grapple with evolving cyber threats, Fortified Health Security remains at the forefront of understanding these risks and identifying proactive solutions. In this discussion, Fortified Health Security CEO, Dan L. Dodson and Fortified CISO, Russell Teague analyze the 2025 Horizon Report healthcare cybersecurity predictions –– First with how our 2024 cybersecurity predictions played out and what’s in store in 2025. From AI-driven attacks to cybersecurity insurance and the increasing role of third-party security risks, they explore the challenges and opportunities shaping the healthcare industry’s cybersecurity landscape.
How We Did: Our 2024 Cybersecurity Predictions
Dan: Russell, as you know, we released our 2025 report, and you played a big role in shaping it. We’re excited to bring these insights to the market. Two things I want to dive into: first, our 2024 predictions—how did we do? Then, let’s talk about what’s ahead.
Increase in AI-Driven Attacks
Dan: To start, one of our key predictions for 2024 was an increase in AI-driven attacks. From my perspective, that certainly happened. How do you see it?
Russell: Absolutely, Dan. We’ve seen a rise in AI-driven threats, with advanced threat actors leveraging AI for more sophisticated attacks. AI is even embedded in malware and ransomware, allowing these threats to evolve dynamically. We’re also seeing AI voice cloning used in fraud campaigns targeting help desks and even doctors. It’s clear this trend is accelerating, and I expect AI-driven attacks to continue expanding in 2025.
Stronger Cybersecurity Regulations and Legislation
Dan: Another prediction we made was stronger cybersecurity regulations and legislation. 2024 saw a lot of movement in this space. How do you think we did on that call?
Russell: This is an area that’s moving quickly. HHS and the OCR have ramped up regulatory efforts, and we’ve seen significant legislative activity. The big question is how these initiatives will play out with the new administration, but I don’t expect major delays. Healthcare remains a prime target for cybercriminals, and stronger regulatory measures are inevitable. Proposed changes to HIPAA and security rules are already in progress, so we’ll likely see even more movement in 2025.
Dan: Agreed. We also saw a lot of action at the state level. Balancing federal and state regulations will be a major challenge next year.
Russell: Absolutely. New York is leading the charge, and historically, when states like New York, Massachusetts, or New Hampshire move, others follow quickly. We’re also seeing activity in Texas, Minnesota, and Massachusetts, so expect a wave of state-level regulatory shifts in 2025.
Dan: Sounds like you’re mapping the regulatory landscape like an electoral map! 2025 will be a pivotal year in this space.
Growth of Telemedicine
Dan: Another prediction we made was the continued evolution of telemedicine and its impact on cybersecurity. While remote care cases have declined post-COVID, new trends—like the rise of telehealth prescriptions—are shifting the landscape. How do you see the cybersecurity challenges here?
Russell: The explosion of telehealth for prescriptions, particularly with medications like Ozempic, has opened new attack surfaces. We’re also seeing more AI-driven interactions and generative models being integrated into care. Smaller entities are expanding telehealth access, broadening the attack surface significantly. Threat actors will follow, targeting these new entry points. This is just the beginning.
Dan: Right, and the interoperability of data exchange is another concern. Many think of healthcare IT in terms of EHRs, but hospitals run hundreds—if not thousands—of applications on top of those systems. That creates enormous data sprawl and attack opportunities, especially as we add more connected devices.
Russell: Exactly. As we integrate more bedside monitors, wearables, and home-based devices, security perimeters will shift. Many of these devices connect via unsecured home networks, introducing additional risks. The entire security model needs to evolve.
Third-party Incidents Targeting Supply Chains
Dan: That leads us to another accurate prediction—the increase in third-party cybersecurity risks. We saw a 45% increase in breaches reported to OCR that involved a third party in 2024. The Change Healthcare breach was a wake-up call. Many organizations didn’t even realize Change Healthcare was embedded in their services. That level of dependency on third parties makes this an ongoing issue.
Healthcare Cybersecurity Predictions for 2025
Increased Outsourcing of Healthcare Cybersecurity
Dan: Let’s pivot and talk about 2025. One of our big forecasts is the continued outsourcing of healthcare cybersecurity. I see this trend growing as organizations look to focus on core patient care. What’s your take?
Russell: Financial and talent shortages in healthcare are driving this trend. When hospitals are financially constrained, it’s hard to attract top-tier cybersecurity talent. We’re seeing more discussions about outsourcing key cybersecurity functions, and we expect that to accelerate in 2025. It’s not about outsourcing everything—many organizations are adopting hybrid models where they retain strategic control but leverage partners for specialized services.
Dan: Agreed. Historically, healthcare outsourcing followed large, multi-service agreements, but we’re seeing a shift toward more targeted, expertise-driven outsourcing. CIOs and CTOs are focusing on best-of-breed partners rather than one-size-fits-all solutions.
Adoption of Zero-Trust Architectures (ZTA)
Dan: Another major focus for 2025 is Zero Trust Architecture (ZTA). It’s a buzzword, but will we see meaningful adoption?
Russell: Zero Trust is the ideal, but achieving full implementation in 2025 is unlikely. Instead, I see organizations focusing on foundational elements like network segmentation, multi-factor authentication, and enhanced identity management. These are necessary steps toward a Zero Trust framework, even if full adoption is years away.
Challenges for Prioritized Security of Internet of Medical Things (IoMT)
Dan: Another big issue in 2025 is securing the Internet of Medical Things (IoMT). Regulatory efforts are starting to push device manufacturers toward greater accountability, but legacy devices remain a challenge. How do we secure them while maintaining patient care?
Russell: This is a big issue. Medical device manufacturers are being held to higher security standards, but hospitals still rely on legacy equipment. Replacing it isn’t always feasible, so we need strategies like network segmentation and compensating controls to secure these older devices. I expect 2025 to bring a stronger focus on holding manufacturers accountable while also addressing real-world hospital constraints.
Rise in Cybersecurity Insurance Premiums
Dan: Finally, cybersecurity insurance premiums. We predict an increase in 2025, but some argue rates are stabilizing. What’s your perspective?
Russell: Premiums will rise for many because the financial impact of breaches is growing. While overall breach numbers dipped slightly in 2024, the scale and severity of attacks increased. Insurers are becoming more rigorous, adjusting risk profiles based on attack trends. Organizations that proactively manage cybersecurity may see some premium relief, but for most, rising risks will lead to higher costs.
Dan: Agreed. Organizations need to stay proactive to keep premiums in check. Well, Russell, I appreciate the discussion.
Fortified Health Security remains committed to providing actionable insights to help organizations stay ahead. For a deeper dive into these 2025 healthcare cybersecurity predictions, download our full 2025 Horizon Report.
