Healthcare organizations are the most targeted sector for ransomware. The 2024 HIPAA Security Rule updates are raising the compliance bar. And in 2028, Los Angeles hosts the Olympics — a scenario that demands health systems be fully operational, not in recovery mode.
When a hospital's electronic health record system goes offline, the consequences are not measured in data — they are measured in care.
Delayed surgeries. Diverted ambulances. Nurses reverting to paper charting. Physicians making decisions without access to patient history, medication records, or lab results. These are not hypothetical scenarios. They are documented outcomes of ransomware attacks on healthcare organizations, and they are happening with increasing frequency.
The 2024 Change Healthcare attack exposed more than 110 million patient records and disrupted prescription processing and claims adjudication across the United States for months — making it the largest healthcare data breach in U.S. history.
The Change Healthcare attack — attributed to the ALPHV/BlackCat ransomware group — was not an outlier. HHS reported 249 healthcare data breaches in the first half of 2024 alone. The average hospital experiences 21 days of downtime following a ransomware attack. The average cost of a healthcare data breach exceeded $10 million in 2024, the highest of any industry for the 14th consecutive year.
The attack vector in the majority of these incidents is the same: compromised credentials, lateral movement through identity infrastructure, and eventual access to clinical or operational systems.
Healthcare organizations are complex identity environments. The average healthcare employee has five to seven digital identities across EHR platforms, PACS systems, billing platforms, scheduling systems, and operational tools. Nearly all of them are ultimately managed through Active Directory.
AD is the single most critical asset in a healthcare IT environment — and the single most targeted. Attackers who gain privileged access to AD can access EHR systems, billing platforms, and administrative infrastructure simultaneously. A single compromise can take down an entire health system.
The Change Healthcare breach began with compromised credentials used to access a Citrix portal that lacked multi-factor authentication. That initial access led to domain-level compromise and ultimately to the ransomware deployment that halted operations.
HIPAA's Security Rule has required covered entities to conduct security risk assessments and implement safeguards for electronic protected health information (ePHI) since 2005. Many organizations treat this as a checkbox exercise — an annual risk assessment that produces a report and changes very little operationally.
HHS enforcement actions signal that this approach is no longer sufficient. The proposed 2024 HIPAA Security Rule updates add prescriptive technical requirements that map directly to identity security controls:
Business associates — vendors and partners who handle ePHI on behalf of covered entities — share liability for breaches. If your organization provides services to healthcare organizations and handles patient data, HIPAA obligations apply to you as well.
The Los Angeles 2028 Olympics will create mass-casualty surge scenarios that regional healthcare systems must be prepared for at scale. A cyber incident that takes a regional health system offline during the Olympics is not just a data breach — it is a public health emergency with international visibility.
Preparation for that scenario needs to begin years in advance. The identity security posture of California health systems today is the foundation for their operational resilience in 2028.
The common thread across HIPAA compliance, ransomware resilience, and operational continuity is identity infrastructure. The controls that HIPAA's 2024 updates require — MFA, access management, privilege controls, network segmentation — are fundamentally Active Directory security controls.
Organizations with mature AD security have a meaningful head start on compliance. Organizations with gaps have a clear, actionable roadmap available to them — starting with understanding exactly where they stand today.
The Preparedness & Identity Resilience Assessment from Tec-Refresh evaluates your identity infrastructure, maps your NIST CSF 2.0 alignment, and delivers a prioritized remediation roadmap. No obligation — and spots for California healthcare organizations are available now.
Request Your Free Assessment →