Massive Healthcare Breaches Prompt a New Era of Cybersecurity Rules
The healthcare industry experienced an unprecedented level of cybersecurity breaches in 2024, with a record-breaking number of patient records exposed. Hacking/IT Incidents, per hipaajournal.com, is the number one cause of reported breaches.
The biggest breaches of the year are below.
| Covered Entity | Date | Type | Records |
| Change Healthcare | 02/2024 | Ransomware | 100m |
| Kaiser Foundation Health Plan | 04/2024 | Privacy | 13.4m |
| Ascension | 07/2024 | Ransomware | 5.6m |
| HealthEquity | 07/2024 | Unauthorized Access – BAA | 4.3m |
| Concentra Health Services | 01/2024 | BAA Breach | ~4m |
Fueled by In an era where companies are more willing to pay ransomware gangs, data breaches are becoming alarmingly frequent, the U.S. healthcare industry is under immense pressure to bolster its defenses and the government is waving the “stick” a bit more with authority.
The Department of Health and Human Services (HHS) has announced sweeping updates to the Health Insurance Portability and Accountability Act (HIPAA), marking a pivotal shift in how patient data is protected. These updates come as a response to a wave of cyberattacks that have compromised millions of Americans’ sensitive health information.
The proposed rules aim to strengthen cybersecurity measures, ensuring healthcare organizations can better safeguard protected health information (PHI). From encryption mandates to network segmentation, these measures are designed to make healthcare systems more resilient against evolving threats. But what do these changes mean for the industry, and how will they impact both providers and patients? Let’s delve deeper.
The Growing Threat of Healthcare Data Breaches
We all know why hackers like hitting hospitals.
- There’s lots of money in the records.
- Systems are willing to pay the ransom – and quickly to restore services.
- Their cybersecurity defenses are not top-notch.
- Lots of BAA’s to hit – the blast radius is big.
The bigger the breach, the more money to pull. Hackers can have a life changing payday and ignore typical engagements (like customer service) if they can get 8 figures for a single breach. Change Healthcare’s bill for the ransomware attack is well over $3B and climbing as they continue to sort out legal problems – and that’s after they paid the $22 million ransom to recover their systems.
It’s not just financial – patient care is affected as well. The attack on Ascension forced the hospital system to revert to manual recordkeeping and divert emergency services. Such incidents highlight the urgency of adopting robust cybersecurity measures to prevent similar disruptions.
Proposed HIPAA Updates: What you Need to Know
I don’t need to recap the changes. Kirkland has done a wonderful job of this already: https://www.kirkland.com/publications/kirkland-alert/2025/01/proposed-changes-to-the-hipaa-security-rule
But I will give you more actionable information.
What controls do you need to have in place to meet these in the case they go live in the summer of 2025? (assuming 60 days after Rule’s publication. Comment deadline is March 7, 2025).
| Requirement | Tools | Procedures | Policies |
| Eliminating Addressable vs. Required Standards | Compliance Management Software Policy Automation Tools | Conduct a full review of current safeguards. Update risk assessments to ensure all standards are fully implemented. | Create a policy mandating compliance with all HIPAA Security Rule standards. Establish accountability for each standard. |
| Technology Asset Inventory | IT Asset Management Tools (e.g., SolarWinds, ServiceNow) Network Mapping Software (e.g., Lucidchart, NetBrain) | Inventory all devices, software, and systems that access ePHI. Create and maintain a network map illustrating ePHI flow. Review inventory and map annually or when systems change. | Adopt a Technology Asset Management Policy covering inventory updates and network mapping. |
| Risk Analysis and Evaluation | Risk Analysis Platforms (e.g., Archer, LogicGate) Gap Analysis Tools | Perform comprehensive gap assessments. Conduct annual risk analyses to identify vulnerabilities and categorize impact levels. Evaluate risks after major system changes. | Develop a Risk Management Policy detailing annual analyses and gap evaluations. Include criteria for categorizing risks. |
| Patch Management | Patch Management Tools (e.g., ManageEngine, Ivanti) Vulnerability Scanning Tools (e.g., Nessus, Qualys) | Identify vulnerabilities through automated scans. Apply patches, updates, and upgrades promptly. Review and update patch policies annually. | Create a Patch Management Policy requiring timely updates and tracking installations. |
| Contingency Planning | Backup Solutions (e.g., Veeam, Acronis) Disaster Recovery Tools (e.g., Zerto, Azure Site Recovery) | Develop and test a data backup and restoration plan. Ensure data can be restored within 72 hours. Review and revise plans annually and after major changes. | Establish a Contingency Planning Policy with detailed procedures for backups, restorations, and emergency responses. |
| Encryption | Encryption Software (e.g., BitLocker, VeraCrypt) Secure Communication Tools (e.g., TLS/SSL Certificates) | Encrypt all data at rest and in transit. Regularly review encryption configurations for compliance. | Implement an Encryption Policy requiring strong encryption algorithms and key management protocols. |
| Network Segmentation | Network Segmentation Tools (e.g., Cisco TrustSec, Palo Alto Networks) | Divide networks into isolated segments based on risk analyses. Restrict access between segments containing ePHI and general networks. | Develop a Network Segmentation Policy defining segmentation processes and review timelines. |
| Multi-Factor Authentication (MFA) | MFA Solutions (e.g., Duo Security, Okta) | Enable MFA for all systems containing ePHI. Train users on MFA setup and use. | Establish an Authentication Policy mandating MFA for all users accessing ePHI systems. |
| Enhanced Physical Safeguards | Mobile Device Management (MDM) Tools (e.g., Intune, AirWatch) Physical Access Control Systems (e.g., keycard access) | Implement physical controls for mobile device storage and use. Develop procedures for tracking device movement in and out of facilities. | Create a Workstation Security Policy covering mobile devices, physical safeguards, and device relocation procedures. |
| Required Notifications | Incident Management Systems (e.g., ServiceNow, PagerDuty) Communication Platforms (e.g., Slack, Microsoft Teams) | Notify covered entities within 24 hours of workforce access changes. Notify covered entities within 24 hours of contingency plan activation. | Adopt an Incident Notification Policy specifying required timelines and notification procedures for all events. |
| Business Associate Review and Delegation | Vendor Risk Management Tools (e.g., BitSight, CyberGRX) Cybersecurity Assessment Tools (e.g., HITRUST MyCSF) | Verify technical safeguards of business associates annually. Obtain a written cybersecurity analysis from a professional annually. Delegate Security Officer duties when appropriate. | Develop a Business Associate Oversight Policy requiring annual verification of compliance and written security evaluations. |
The Economic Impact of Compliance
The proposed healthcare security rule update will require significant investments in encryption, MFA, and risk analysis, especially for smaller providers. While costly, these changes could help mitigate the high costs of data breaches and potential regulatory action. Although the final rule may change under the new administration, bipartisan support for healthcare cybersecurity suggests it will likely be implemented. Smaller healthcare providers may need federal assistance to comply without sacrificing care quality.
Why These Updates Are Long Overdue
It’s about time; The HIPAA Security Rule, last updated in 2013, is not equipped to handle the sophistication of modern cyber threats. Cyber and threats are changing much quicker than our institutions can manage the change – and maybe that’s by design to bring the “stick” along slowly. Over the past decade, the healthcare industry has made massive changes by adopting digital tools like electronic health records (EHRs), telemedicine, and IoT devices.
While this has improved patient care, it has also created new cybersecurity problems that need to be dealt with…most likely with a smaller team and an even smaller budget.
What’s Next for Healthcare Cybersecurity?
The proposed HIPAA updates are just the beginning because here comes AI! Being proactive is best – and thinking through the compliance requirements and aligning them with the business objectives (aka patient care) is the approach I would recommend. This includes but is not limited to:
- Sanity Checks: Use your network – collaborate together with others.
- Map your Data: Know your data lifecycle and data flow through your systems.
- Regular Risk Assessments: Identifying and addressing vulnerabilities before attackers can exploit them.
- Employee Training: Ensuring staff are equipped to recognize and respond to potential threats.
- BC/DR/Incident Response Plans: Preparing for worst-case scenarios to minimize damage and recovery time.
Conclusion: We’re Here.
Healthcare Cyber is hard. Hard.
You’re probably understaffed and undermanned (or no-manned) and drowning on balancing business operational needs with cybersecurity and regulation and compliance. That’s where we’re here to help.
At Class IV, we support healthcare providers, BAA’s, and all other members in the HIPAA ecosystem with quality, effective cybersecurity services to help you in your IT, Cyber, and Data (read: AI) journeys. We’re happy to be a sanity check for you and be your compliance battle buddy in delivering outstanding results and a penchant for action.
