Electronic Health Reporter

By Errol Weiss, chief security officer, Health-ISAC.

Healthcare data breaches are reaching unprecedented levels, with attacks that target the industry surging in both frequency and sophistication. Cybercriminals are zeroing in on vulnerabilities across healthcare systems, exploiting outdated and unpatched systems to steal and manipulate sensitive patient data.

From medical histories to genomic information, this data has immense value, making it a lucrative target for ransomware, phishing schemes, and insider threats. As healthcare organizations scramble to shore up defenses, the risks extend beyond financial losses to jeopardize patient safety and trust.

The urgency is exemplified by two landmark pieces of legislation—the Healthcare Cybersecurity Act of 2024 and the Health Infrastructure Security and Accountability Act of 2024 (HISAA). These laws aim to confront the mounting threats, but they also raise critical questions: Can they outpace the rapidly evolving tactics of cybercriminals? Are they enough to close the gaps left by outdated regulations like HIPAA? 

Limitations of existing legislation

The limitations of existing regulations like the Health Insurance Portability and Accountability Act (HIPAA), reveal why new measures are necessary to address today’s cybersecurity challenges. When HIPAA was enacted in 1996, its primary focus was ensuring the confidentiality of patient information and establishing basic standards for privacy and compliance. While it has played a pivotal role in protecting patient data, HIPAA’s framework has not kept pace with the increasingly sophisticated cyber threats facing healthcare organizations.

As it stands, HIPAA has become largely a reactive framework for punishment, focusing on penalizing organizations after data breaches occur, rather than implementing proactive measures to prevent them. Its provisions leave much of the “how-to” for securing digital infrastructure undefined, offering flexibility but creating wide disparities in cybersecurity practices. Large healthcare providers with robust resources have the ability to invest in advanced protections, while smaller clinics and rural providers struggle to implement even basic measures due to financial and technical limitations.

HIPAA does not adequately address the modern healthcare environment’s reliance on interconnected technologies, telemedicine platforms, and cloud storage. Patient data now flows through a vast web of systems, including electronic health records (EHRs), wearable devices, and mobile health apps – all of which increase the “attack surface” – that is, the potential points of entry and vulnerabilities that an attacker could exploit to gain unauthorized access. These gaps are exacerbated by the increasing frequency of ransomware attacks, phishing schemes, and insider threats, which extend far beyond the threats that the framers of HIPAA envisioned when it was introduced.

While HIPAA dominates the conversation, other regulations, such as state-level data protection laws, also fall short in addressing these challenges. These laws often lack uniformity, leading to inconsistent protections and compliance requirements that further complicate cybersecurity efforts across the industry. The absence of a coordinated, federal-level mandate for modern cybersecurity practices leaves critical vulnerabilities unaddressed.

A new era of protection

The Healthcare Cybersecurity Act of 2024 and the Health Infrastructure Security and Accountability Act (HISAA) of 2024 mark a significant shift in tackling the growing cybersecurity threats facing the healthcare industry. These laws establish a more detailed framework for protecting patient data and securing healthcare systems in an increasingly digital and interconnected environment.

The Healthcare Cybersecurity Act of 2024 focuses on strengthening federal coordination and preparedness against cyber threats. It requires agencies such as the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to work together in developing practical guidelines and detailed response plans for healthcare providers. The law prioritizes real-time threat sharing between public and private sectors, ensuring that healthcare organizations can quickly access accurate and relevant information to address emerging cybersecurity risks effectively.

Meanwhile, the Health Infrastructure Security and Accountability Act (HISAA) of 2024 emphasizes enforcing higher standards of accountability for healthcare organizations. It mandates regular cybersecurity audits and enforces stricter reporting protocols for data breaches, creating clear benchmarks for compliance.

HISAA also introduces specific financial and operational penalties for organizations that fail to meet these requirements, directly addressing negligence in data protection with tangible consequences. This targeted approach aims to reduce variability in cybersecurity practices across the industry and ensures consistent application of safeguards. 

Future opportunities

The new policies set a comprehensive framework for enhancing healthcare cybersecurity, but they are just the beginning. As cyber threats continue to evolve, further legislative developments will likely be necessary to keep pace with emerging risks and technological advancements. Future health legislation may address several critical areas.

For instance, as data breach tactics become increasingly sophisticated, the government could introduce more stringent standards for encrypting sensitive data, ensuring that patient information is safeguarded at every level. The standards could include setting industry-wide protocols for encryption that cover all devices and networks used in patient care, leaving fewer weak points for attackers to exploit.

Expanded funding for small and rural healthcare providers may also be on the horizon, enabling these organizations to adopt robust cybersecurity measures and comply with new security standards, regardless of their financial resources. The funding could prioritize grants for implementing advanced firewalls, threat detection systems, and security training tailored to smaller-scale operations.

Additionally, as healthcare organizations operate in an increasingly interconnected global landscape, future legislation might foster international collaboration to address cross-border cybersecurity threats, potentially establishing global norms and frameworks for data protection. These efforts could include forming coalitions that enable real-time information sharing about cyberattacks, bridging gaps between countries with varying levels of digital infrastructure.

Another potential development is the implementation of mandatory cybersecurity education and training for healthcare employees. Such a policy could ensure that everyone in the healthcare system, from administrative staff to physicians, is equipped to recognize and respond to cybersecurity threats effectively. Training could focus on identifying phishing attempts, securely managing sensitive data, and understanding the specific risks associated with connected medical devices.

These measures would collectively strengthen the industry’s ability to protect sensitive patient data in the face of evolving challenges, ensuring that healthcare systems can adapt and respond to the ever-changing landscape of cyber threats.

Final thoughts

The healthcare industry faces a pivotal moment in its approach to cybersecurity, as the increasing value of patient data to cybercriminals demands urgent and robust action. While the Healthcare Cybersecurity Act of 2024 and HISAA represent significant advancements, they are just the foundation of what must become a broader, more dynamic strategy. As cyber threats grow in sophistication, the healthcare sector will need to embrace continuous improvement, leveraging advancements in technology to stay ahead of malicious actors.

Policymakers must prioritize the development of adaptable regulations that anticipate emerging risks, provide funding to support cybersecurity programs at small/rural hospitals and encourage all  healthcare organizations to invest in scalable and proactive solutions.

Collaboration will be key, not only between government agencies and healthcare providers but also with technology developers and international partners. A unified effort to share knowledge, resources, and best practices can create a more resilient healthcare infrastructure.

Equally important is fostering a culture of cybersecurity awareness, where every stakeholder—from frontline staff to executives—understands their role in safeguarding patient data. Protecting privacy while fostering innovation is a delicate balance, but with vigilance, investment, and cooperation, the industry can meet this challenge head-on and build a more secure future for patients worldwide.