According to the American Hospital Association (AHA), healthcare cybersecurity is under unprecedented strain in 2024, with 386 breaches reported so far. The industry faces not only more frequent attacks but also ones with increasingly severe consequences. These threats target interconnected systems, jeopardizing patient care and financial stability.
Ransomware attacks have grown beyond financial extortion, directly endangering patient safety by crippling healthcare operations. The February 2024 ransomware attack on Change Healthcare is a prime example. It disrupted over 100 critical functions, including claims processing and prescription management, causing delays in patient care and billions in payments. The incident demonstrates how interconnected systems can amplify the impact of a single breach, leaving providers vulnerable to cascading effects.
Healthcare organizations increasingly rely on vendors and supply chains, but these partnerships come with risks. In 2023, breaches involving third-party vendors led to a 287% increase in affected individuals. When Change Healthcare’s systems were compromised, disruptions reverberated across the sector, revealing the dangers of insufficient oversight. Strengthening vendor security through audits, contractual cybersecurity requirements, and continuous monitoring is fundamental to mitigating these risks.
A troubling trend in 2024 is the partnership between nation-states and cybercriminal groups, allowing criminals access to more resources. In August, Iranian-linked actors facilitated ransomware attacks on U.S. healthcare networks, combining advanced hacking tools with aggressive extortion. The shift presents healthcare organizations with adversaries equipped for financial and geopolitical disruption, requiring advanced detection capabilities and constant vigilance.
The Department of Health and Human Services (HHS) has introduced voluntary Cybersecurity Performance Goals (CPGs) to help healthcare providers improve defenses. These goals focus on addressing vulnerabilities, combating phishing, and strengthening access controls. They also encourage extending these standards to third-party vendors, as advocated by the American Hospital Association.
Beyond CPGs, regulatory efforts are pushing for mandatory risk assessments, incident response plans, and breach reporting. Adhering to these standards strengthens security and demonstrates a commitment to patient trust and data protection.
Up to 13.4 million individuals were affected when personal information was transmitted to third parties like Google and Bing. While no misuse has been reported, notifications were issued as a precaution.
Nearly 4 million individuals were impacted due to a breach at Perry Johnson & Associates, Inc., a vendor providing transcription services. Concentra indicated that the incident occurred at the vendor's end.
Over 2.5 million individuals were impacted in a breach that compromised Social Security numbers and insurance details, detected late last year.
A cyberattack exposed Social Security numbers and birth dates of nearly 2.4 million individuals. No financial data was reported as compromised.
Over 1 million individuals were impacted when a former employee of Nuance Communications accessed patient data after termination.
A ransomware attack, triggered by an employee downloading a corrupt file, affected 13.4 million individuals and disrupted critical systems.
HIPAA (Health Insurance Portability and Accountability Act) is a US law that sets national standards for protecting sensitive patient information. HIPAA's security rule specifically addresses the technical and non-technical safeguards required to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). Compliance with HIPAA requires healthcare organizations to implement cybersecurity measures, conduct regular risk assessments, and ensure ongoing protection against threats to ePHI.
Healthcare cybersecurity frameworks, such as the NIST Cybersecurity Framework and HITRUST CSF (Common Security Framework), provide guidelines and best practices for securing healthcare information systems. These frameworks help organizations assess their cybersecurity posture, identify areas for improvement, and implement controls to mitigate risks effectively. Adhering to established frameworks ensures that healthcare organizations maintain a detailed and standardized approach to cybersecurity, enhancing the protection of patient data and regulatory compliance.
Upon discovering a data breach, a healthcare organization should contain the breach, assess the scope of the impact, notify affected individuals and relevant authorities, and begin an investigation to understand how the breach occurred and how to prevent future incidents.
Business associates have similar responsibilities as covered entities in protecting PHI under HIPAA. Both must ensure the confidentiality, integrity, and security of PHI. Business associates are required to implement appropriate safeguards, comply with the terms of business associate agreements, and report any breaches of PHI. While covered entities are directly responsible for PHI, business associates must also adhere to HIPAA regulations to protect patient information from unauthorized access or disclosure.
Learn more: HIPAA Compliant Email: The Definitive Guide