Book a Consult

BOOK A CONSULT

PatientLock Insights & Resources

How Economic Stress Can Expand the Attack Surface in Healthcare

By Jim Ford, CEO of PatientLock and Ryan Sanders, Chief Information Security Officer

PatientLock Blog

I was in Chicago on Monday, September 15, 2008 the day Lehman Brothers collapsed, and the financial system went into freefall. I was representing Cerner, meeting with a hospital about upgrading its lab information system. Before I even walked through the door, the CIO called and said, “All expenditures are frozen. We’re done.” I flew home that evening.

It wasn’t just that moment falling apart — it was a seismic shift. Hospitals across the country froze budgets, delayed capital projects, and cut back on IT investments. According to an American Hospital Association Rapid Response Survey, by early 2009 nearly one-third of hospitals had scaled back or canceled IT projects due to financial strain. That likely included cybersecurity—which, at the time, was still viewed as a subset of IT, not the operational imperative it is today.

The COVID-19 pandemic exposed this same pattern in sharper focus. Hospitals again faced global crisis, operational overload, and a dramatic spike in cyberattacks targeting overstretched systems. Ransomware surged. Phishing campaigns skyrocketed. And overnight, telehealth and remote work expanded the digital perimeter beyond anything most IT departments had planned for.

Fortunately, the tide turned quickly in 2009. The HITECH Act injected billions into health IT, making breach reporting mandatory and accelerating EHR adoption. It also triggered a pivotal shift: cybersecurity was no longer just an IT function—it became a patient safety and compliance issue.

Even back then, I knew that when healthcare cuts technology and security under financial pressure, the consequences don’t stay financial for long—they become operational, reputational, and in some cases, life-threatening.

Now in 2025, we’re watching the same pattern unfold again. But this time, the stakes are higher, and the pressure is coming from all sides.

Economic Pressure Is Driving Up Cyber Risk

Inflation, labor shortages, reimbursement cuts, and global volatility are squeezing healthcare systems in every direction. And while patient care remains the priority, cybersecurity is often the first thing deferred.

This isn’t speculation. It’s happening now.

  • The 2024 HIPAA Journal Breach Report showed a 63.5% increase in individuals affected by healthcare breaches—over 275 million records, despite a slight drop in the number of breach incidents.

  • The 2025 HIPAA Journal Breach Report showed that in January 2025, healthcare reported 66 large breaches, impacting over 2.7 million individuals.

  • In February 2025, large breaches dropped to 46 but still exposed 1.2 million records—down from 5 million in February 2024, but more targeted and damaging.

Fewer breaches doesn’t mean safer conditions—it means attackers are getting more efficient and better at exploiting the exact gaps that economic stress tends to create.

A hand pinching the word ‘RANSOMWARE’—a visual metaphor for control and mitigation of healthcare cyber threats. PatientLock logo appears in corner.

Smaller Healthcare Organizations Are Being Hit the Hardest

Threat actors are shifting focus to smaller and mid-sized providers. Why? Because they’re easier targets—less likely to have strong access controls, segmented networks, MDR, or 24/7 incident coverage.

  • In 2024, 92% of healthcare organizations reported experiencing a cyberattack (Becker’s Health IT).

  • Sector-wide attacks increased 32% year-over-year, with disproportionate impacts on outpatient facilities.

  • The HIPAA Journal continues to report breach after breach among dental offices, rural clinics, and specialty practices.

“Cybercriminals don’t discriminate based on size—they look for weak links. IT resources supporting smaller healthcare organizations are often overworked, under-resourced, and completely exposed.”
Ryan Sanders, CISO, PatientLock

This isn’t a future risk. It’s already here.

How Financial Pressure Expands the Attack Surface

1. Deferred Investments Become Open Doors

Organizations under economic stress tend to delay:

  • Software and infrastructure upgrades

  • Security tool renewals (MDR, EDR/XDR, SIEM)

  • External risk assessments

  • Staff training and phishing simulations

These are the exact areas attackers exploit. One missed patch, one expired certificate, one open port on a Friday night—and suddenly you’re offline and in breach.

“Healthcare providers may reduce IT investments during economic downturns, increasing vulnerability to cyber threats.”
Bipartisan Policy Center

2. Confusion Becomes an Attack Vector

Economic stress doesn’t just shrink budgets—it creates confusion:

  • New vendors onboarded hastily

  • High staff turnover and missed training

  • Delayed billing and expired contracts

  • Unsegmented systems spun up without access controls

During COVID-19, Google Threat Analytsis Group reported 18 million malware and phishing emails per day. Same playbook, now disguised as billing issues, HR updates, or vendor portals.

3. The Cost of Downtime Keeps Climbing

According to a 2024 Claroty report:

  • 50% of healthcare orgs had cyber losses over $500K

  • 25% saw losses over $1M

  • 78% of ransomware demands exceeded $500K

These aren’t theoretical. They include lost revenue, emergency response, legal costs, and insurance headaches.

HIPAA, Insurers, and Auditors Are Raising the Bar

HIPAA 2025: Security Rule Overhaul (Proposed Dec 2024)

In December 2024, HHS proposed significant revisions to the HIPAA Security Rule through the issuance of a Notice of Proposed Rulemaking (NPRM)—its first major overhaul in more than a decade. These updates are designed to reflect today’s threats, but also the failures of the past few years.

  • Ongoing risk analysis — no more “annual” SRA checkboxes
    §164.308(a)(1)(ii)(A–B)

  • Cybersecurity training — trackable, relevant, and frequent
    §164.308(a)(5)

  • Tested contingency plans — backups must be proven secure and restorable
    §164.308(a)(7)

  • Access control and audit logging — prove who did what, when
    §164.312

  • Automated vulnerability scans and penetration testing — every 6 months, minimum

CMS Is Watching Too: MIPS and Promoting Interoperability

Cybersecurity isn’t just a HIPAA compliance issue—it’s directly tied to reimbursement under the CMS Merit-based Incentive Payment System (MIPS).

Providers participating in MIPS must attest to meeting the Protect Patient Health Information objective within the Promoting Interoperability category. That includes having a Security Risk Analysis (SRA) conducted or reviewed in accordance with the HIPAA Security Rule, 45 CFR §164.308(a)(1).

While CMS allows self-assessments, they must be thorough, current, and well-documented. Incomplete or insufficient SRAs are a leading reason providers fail Promoting Interoperability audits.

What you need to show:

  • A current, HIPAA-compliant SRA.

  • Secure transmission of ePHI via certified EHR technology.

  • Active patching, access control, and endpoint security practices.

Using a third party isn’t mandatory—but it’s increasingly considered a best practice. It adds credibility, objectivity, and helps ensure your documentation holds up under review.

What Your Organization Should Do Right Now

1. Get an External HIPAA-Compliant SRA
Insurers and auditors are looking for third-party documentation, not internal declarations.

2. Map to the NIST Cybersecurity Framework (CSF)
Insurers increasingly benchmark risk using NIST CSF alignment. If you’re not mapped to it,you’re missing the reference point.

3. Operationalize Your Controls
MFA, EDR, patching, offline backups, log retention—every one of these should be in place, tested, and monitored.

4. Train Staff with Real-World Scenarios
Social engineering is still the most common entry point. Training is your cheapest and most effective defense.

5. Document Everything
If you can’t show it, it didn’t happen. Every control, backup, policy, and training record should be audit ready.

Final Thoughts

We’ve been here before. Healthcare always finds a way forward—but the path will get narrower for organizations that fail to protect themselves and their patients.

Cybersecurity can no longer be deferred, siloed, or minimized. It needs to be baked into operations the same way infection control or clinical documentation is constant, supported, and absolutely non-negotiable.

Organizations that act now won’t just stay compliant—they’ll stay operational when others can’t.

👉 Book a Strategic Cybersecurity Review for Your Organization