According to the American Hospital Association (AHA), healthcare cybersecurity is under unprecedented strain in 2024, with 386 breaches reported so far. The industry faces not only more frequent attacks but also ones with increasingly severe consequences. These threats target interconnected systems, jeopardizing patient care and financial stability.
Ransomware endangering patients
Ransomware attacks have grown beyond financial extortion, directly endangering patient safety by crippling healthcare operations. The February 2024 ransomware attack on Change Healthcare is a prime example. It disrupted over 100 critical functions, including claims processing and prescription management, causing delays in patient care and billions in payments. The incident demonstrates how interconnected systems can amplify the impact of a single breach, leaving providers vulnerable to cascading effects.
Third-party vulnerabilities widen the attack surface
Healthcare organizations increasingly rely on vendors and supply chains, but these partnerships come with risks. In 2023, breaches involving third-party vendors led to a 287% increase in affected individuals. When Change Healthcare’s systems were compromised, disruptions reverberated across the sector, revealing the dangers of insufficient oversight. Strengthening vendor security through audits, contractual cybersecurity requirements, and continuous monitoring is fundamental to mitigating these risks.
Nation-state and ransomware group collaborations
A troubling trend in 2024 is the partnership between nation-states and cybercriminal groups, allowing criminals access to more resources. In August, Iranian-linked actors facilitated ransomware attacks on U.S. healthcare networks, combining advanced hacking tools with aggressive extortion. The shift presents healthcare organizations with adversaries equipped for financial and geopolitical disruption, requiring advanced detection capabilities and constant vigilance.
Cybersecurity Performance Goals and emerging regulations
The Department of Health and Human Services (HHS) has introduced voluntary Cybersecurity Performance Goals (CPGs) to help healthcare providers improve defenses. These goals focus on addressing vulnerabilities, combating phishing, and strengthening access controls. They also encourage extending these standards to third-party vendors, as advocated by the American Hospital Association.
Beyond CPGs, regulatory efforts are pushing for mandatory risk assessments, incident response plans, and breach reporting. Adhering to these standards strengthens security and demonstrates a commitment to patient trust and data protection.
Overview of 2024’s major breaches
Kaiser Permanente
Up to 13.4 million individuals were affected when personal information was transmitted to third parties like Google and Bing. While no misuse has been reported, notifications were issued as a precaution.
Concentra Health Services
Nearly 4 million individuals were impacted due to a breach at Perry Johnson & Associates, Inc., a vendor providing transcription services. Concentra indicated that the incident occurred at the vendor's end.
WebTPA
Over 2.5 million individuals were impacted in a breach that compromised Social Security numbers and insurance details, detected late last year.
INTEGRIS Health
A cyberattack exposed Social Security numbers and birth dates of nearly 2.4 million individuals. No financial data was reported as compromised.
Geisinger Health System
Over 1 million individuals were impacted when a former employee of Nuance Communications accessed patient data after termination.
Ascension Health
A ransomware attack, triggered by an employee downloading a corrupt file, affected 13.4 million individuals and disrupted critical systems.
What healthcare organizations can do
- Invest in early detection tools: AI-powered systems and endpoint detection and response (EDR) can identify threats before they escalate.
- Train staff continuously: Simulated phishing exercises and routine education help minimize human error.
- Develop resilience plans: Incident response and recovery plans, tested through regular exercises, ensure quick action during an attack.
- Secure vendor partnerships: Conduct thorough audits, enforce cybersecurity clauses in contracts, and monitor vendor practices to mitigate third-party risks.
- Collaborate on threat intelligence: Joining information sharing and analysis centers and partnering with government agencies can improve collective defenses.
FAQs
What is HIPAA, and how does it relate to cybersecurity in healthcare?
HIPAA (Health Insurance Portability and Accountability Act) is a US law that sets national standards for protecting sensitive patient information. HIPAA's security rule specifically addresses the technical and non-technical safeguards required to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). Compliance with HIPAA requires healthcare organizations to implement cybersecurity measures, conduct regular risk assessments, and ensure ongoing protection against threats to ePHI.
What role do healthcare cybersecurity frameworks play in ensuring data protection?
Healthcare cybersecurity frameworks, such as the NIST Cybersecurity Framework and HITRUST CSF (Common Security Framework), provide guidelines and best practices for securing healthcare information systems. These frameworks help organizations assess their cybersecurity posture, identify areas for improvement, and implement controls to mitigate risks effectively. Adhering to established frameworks ensures that healthcare organizations maintain a detailed and standardized approach to cybersecurity, enhancing the protection of patient data and regulatory compliance.
What should a healthcare organization do immediately after discovering a data breach?
Upon discovering a data breach, a healthcare organization should contain the breach, assess the scope of the impact, notify affected individuals and relevant authorities, and begin an investigation to understand how the breach occurred and how to prevent future incidents.
Do business associates have the same responsibility as covered entities in protecting PHI?
Business associates have similar responsibilities as covered entities in protecting PHI under HIPAA. Both must ensure the confidentiality, integrity, and security of PHI. Business associates are required to implement appropriate safeguards, comply with the terms of business associate agreements, and report any breaches of PHI. While covered entities are directly responsible for PHI, business associates must also adhere to HIPAA regulations to protect patient information from unauthorized access or disclosure.
Learn more: HIPAA Compliant Email: The Definitive Guide
Farah Amod
