Dr. Eric Liederman, CEO of CybersolutionsMD, a digital health, privacy, security and IT resilience consultancy, has held informatic leadership roles at health system CommonSpirit Health (formerly Catholic Healthcare West), UC Davis Health System and Kaiser Permanente. 

Liederman will discuss how to prepare and recover from a major cyberattack at the 2025 HIMSS Global Health Conference and Exhibition in Las Vegas in March. He recently sat down with MobiHealthNews to discuss his HIMSS25 talk on the severity of cyberattacks and what healthcare organizations can do to prevent them. 

MobiHealthNews: How severe is the problem?

Dr. Eric Liederman: Severity can be measured in a number of different ways. It can be measured in terms of prevalence. And prevalence, if this were a disease, it would be a pandemic much worse than COVID-19. It is affecting by far the majority of healthcare delivery organizations.

It can be as high as two-thirds or more. Other surveys put it closer to the 55% level. But it is the majority that have already been hit.

Most of them don't like to talk about it because their lawyers tell them to clam up. 

That's actually its own problem because everyone is operating in an isolated silo, and people aren't able to learn from one another. In terms of the data we have, this is a very severe problem. Now in terms of severity, which is the other thing – prevalence and severity – with severity, there is recent data out of the University of California, San Diego, which paints a dire picture. It published a number of papers showing the impact of a ransomware attack not on themselves, but on a nearby multi-hospital system in San Diego. 

The impact was terrible. One that comes to mind is that their out-of-hospital cardiac arrest outcomes plummeted. Prior to this attack on their neighboring system, the percentage of such folks who left the hospital with their brains intact was about 40%. During the period of the attack and its aftermath, it dropped to 4%. 

MHN: What are healthcare leaders doing right? What more should they be doing?

Liederman: Defense and its effectiveness are really all over the board. It is very hard to hire experienced cybersecurity professionals, especially in healthcare. These folks can earn a lot more money in financial services. Financial services used to be the No. 1 victim of these attacks, but they have really hardened themselves and they have done it in large part by throwing a lot of money at the problem.

But there are only so many of these folks around. So a lot of healthcare organizations do not have the teams they need to adequately defend themselves. That is a big problem that is spread all over the country, all over the world really.

Those who are better resourced still have their own challenges in terms of defense. One problem is structural, which is patching takes time and negotiation. Nobody wants to bring their system down to have patches applied. Everybody complains about that. Plus, you have structural delays built in all over the place. The owner of the firmware or the operating system or the software, it takes some time to identify and then publish the fact that there is a vulnerability and then to publish patches for it and then, of course, those patches typically have to be tested and scheduled.

Meanwhile, during that time, attackers can come in and take you out.

If you don't know you have a vulnerability or you know you have a vulnerability but you don't have a patch or you know you have a vulnerability and you have the patch but you haven't applied it, your door is wide open.

The attackers are very well-funded because they are extorting huge amounts of money through ransom attacks, business email compromises and other forms of monetization of their attack vectors and structures.

So, they are very well-funded and put a lot of what they pull in into research and development, and they are using tools that the rest of us are now using for other purposes like AI. 

AI is exciting, but it is being used by the attackers to identify vulnerabilities and identify exploits against them. The defenders can use the same tools, but the problem is that there are structural delays in terms of patching, so it is an imbalanced playing field.

MHN: What do you see on the horizon in terms of technology, attitude and spending patterns that will help combat cyberattacks?

Liederman: Ironically, the most effective way to shut down these attacks is if everybody were to agree to not pay a dime to the attackers. That would be the most effective way. Just make it so that it is a barren desert in terms of monetization. Of course, even in those situations, those attacks typically have not stopped. When healthcare organizations have refused to pay ransom, there are more and more instances where the attackers have gone after and extorted individual patients. 

This happened recently in Pennsylvania where a bunch of nude images of patients – the images were taken because they were being assessed and prepared for radiation oncology treatment for their cancers – were obtained by an attacker, and they tried to go after the individual patients and say, "If you don't pay us directly, we are going to publish these naked pictures of you on the internet." There are lots of examples of this all over the country, all over the world.

I don't know how that can be stopped. These are aggressive, well-funded players.

In terms of supporting the healthcare organizations that are in trouble, I guess it is a multifactor situation.

On the one hand, you have a supply and demand problem. As I mentioned, you don't have enough trained professionals – the federal government has tackled such issues before by providing preferential funding and support pipelines for people to be educated and trained in certain areas. Whether or not the incoming administration or future administrations would have an interest in doing this sort of thing, I don't know. 

In the absence of fixing the supply and demand problem, simply pouring more money into the healthcare or any industry in the United States to try to hire these folks and provide services that they need is just going to create inflation for their services. If you have a fixed supply and you jack up demand, you are just going to increase the price. So I don't know if there is a good solution. There is a fundamental mismatch that needs to be addressed. 

Dr. Eric Liederman's session, "The Day After: Preparing to Recover from a Major Cyberattack," is scheduled for Tuesday, March 4, at 3:15 p.m. at HIMSS25 in Las Vegas.