2025 Cybersecurity Year in Review, Part Two: Mitigating Third-Party Risk, Ensuring Clinical Continuity and Addressing AI Risk

In part one of this blog, we reviewed the number of cyberattacks the health care field endured this year compared to last; provided an overview of the lessons learned from these attacks; and outlined the defensive measures every hospital or health system should take against cyberattacks, beginning with understanding your risk environment.

Looking back at 2025’s health care cybersecurity landscape, we've made three observations.

1. Third-party Cyber Risk Continues to Increase

We’ve seen from Change Healthcare and other recent cyberattacks that over 80% of the stolen protected health information records were not stolen from hospitals — they were stolen from third-party vendors, business associates, and nonhospital providers and health plans like the Centers for Medicare & Medicaid Services.

Hospitals depend on third-party providers for services, technology and supply chain to deliver critical, life-saving functions and business functions that support clinical care — so when third parties get hit, so do hospitals and their patients, even though the hospital was not the direct target. In cases of third-party provider ransomware attacks, like Change Healthcare, there is often a cascading disruptive effect that extends to all of the customers of the victim of the attack. We call that the “ransomware blast radius,” and hospitals need to understand these secondary effects. They should prepare downtime procedures to account for a loss of mission-critical and life-critical third-party services, technology and supply chain — for 30 days or longer.

This risk continues to grow because of hospitals’ dependence on interconnected digital systems and cybercriminals' highly effective "hub-and-spoke" strategy. By gaining access to the hub (a third party’s technology), they gain access to all the spokes — the health care organizations that are the customers of the third party. This provides malicious actors with a digital pathway to infecting multiple covered entities with malware or ransomware or to extract data. Learn more about third-party risk and ways to strengthen your risk management program in this AHA Cyber Intel blog.

2. Business Continuity versus Clinical Continuity: Understanding the Difference and Preparing for the Worst

In 2025 and the years preceding, we have become acutely aware of the need to reassess how hospitals and health systems define and implement downtime procedures to account for a loss of internal and third-party technology and data. Often, in the context of preparation of downtime procedures, we also refer to “business continuity” in health care. It is true that at its core, hospitals’ business is indeed health care. Over time, however, we have seen that hospital leadership and staff tend to interpret the concept of business continuity as more related to an IT function and responsibility, rather than a clinical function and responsibility. The impact of ongoing ransomware against health care demonstrates that it must be both a clinical function and an IT function.

These questions must be asked of every clinical, business and operational function:

• What are our dependencies on network and internet-connected technology and data, and what is the impact if we lose access to our networks and the internet?
• How will we continue to provide safe and quality care without network and internet-dependent services, technology or supply chain for 30 days or longer? For example, what is the impact and plan to diagnose a stroke patient while the Picture Archiving and Communication System is down? How do we deliver time-sensitive, lifesaving radiation oncology treatments when linear accelerators are offline for 30 days or longer?

These are questions that clinical teams are best positioned to answer, not the IT teams. We need to understand and prepare for not just business continuity but also clinical continuity.

To evaluate your hospital’s readiness to maintain critical clinical and operational functions during a cyberattack and gain practical recommendations, consider requesting the AHA Clinical Continuity Assessment conducted by our cybersecurity and risk team.

3. AI as Both a Cyber Tool and a Weapon

We’re very optimistic about the potential uses of artificial intelligence (AI) in health care. It can improve care delivery and patient outcomes, relieve administrative burden so clinicians have more time to focus on their patients, and streamline revenue cycle and other back-office operations.

Health care organizations are also implementing AI to defend against cyberattacks. For example, they can use it to find — and then address — cyber vulnerabilities hidden deep within their systems.

Adversaries, on the other hand, are using AI to launch and dramatically accelerate cyberattacks. For example, they use AI to quickly scan internal and external networks, identify vulnerabilities in health care organizations’ systems and then infect them with malware. AI also has increased the efficiency and speed with which the bad guys can develop malware to exploit those vulnerabilities. Simply put, the bad guys now can more effectively “hack before we patch.”

In addition, bad actors use AI for social engineering attacks. Through AI, they can:

• Research information about a company executive and imitate the executive’s voice through AI-developed synthetic audio to call the IT help desk and ask for a password reset. They will be successful at getting the password because they can present the correct identifying information.
• Develop a profile of someone they want to impersonate and create a deep fake video of the person.
• Craft much more effective phishing emails. It used to be somewhat easy to spot a phishing email through spelling and grammar errors and awkward sentence structure. Now, even a non-English speaker can construct proper English sentences, boosting believability.

AHA Support for Your Cybersecurity and Risk Efforts

Our team offers a variety of strategic cybersecurity and risk advisory services to assist AHA members, many of which are included with your AHA membership.

We are also available anytime, including after hours, at no cost should your AHA member organization need urgent assistance, guidance or introduction to trusted government contacts as the result of a cyber or risk incident.

• John Riggi, National Advisor for Cybersecurity and Risk: jriggi@aha.org
• Scott Gee, Deputy National Advisor for Cybersecurity and Risk: sgee@aha.org

Plus, learn how the exclusive, highly vetted panel of service providers in our AHA Preferred Cybersecurity & Risk Provider Program can help your organization prepare for, prevent and respond to today’s pressing cyberthreats.