Healthcare and cybersecurity
By IHPL - October 1, 2024

In the modern digital landscape, cybersecurity is crucial for the daily operations of many organizations. Most healthcare facilities rely on specialized hospital information systems, including electronic health records (EHR), e-prescribing systems, practice management tools, radiology information systems, and computerized physician order entry systems.1 The healthcare sector has long been a major focus for cyberattacks because it holds a wealth of valuable information, including patients’ protected health information; financial information, such as credit card and bank account numbers; personally identifying information, such as Social Security numbers; and intellectual property related to medical research.2,3,4 Cyber incidents in hospitals and health systems can cause prolonged care disruptions, patient diversions, and acute care strain, leading to canceled appointments and delayed procedures. Moreover, they can jeopardize patient safety and impact communities that rely on local emergency and specialty care for life-saving treatments.3

In 2023, a new record was set with 725 major healthcare cybersecurity breaches reported to the Department of Health and Human Services Office for Civil Rights, surpassing the previous year’s record of 720 breaches.5 Healthcare facilities are struggling to deal with increasingly advanced cyberattacks due to facilities falling short on basic security measures, budget constraints, and challenges in hiring and retaining skilled information technology security professionals.5,6

Therefore, in December 2023, the Department of Health and Human Services (HHS) published the Healthcare Sector Cybersecurity Strategy, which builds on the Biden Administration’s National Cybersecurity Strategy published in March 2023 and focuses on enhancing resilience for hospitals, patients, and communities facing cyberattack threats.3,7 Specifically, the HHS aims to work with Congress to obtain funding to administer financial support for hospitals to implement high impact cybersecurity practices and propose new cybersecurity standards that will be incorporated into existing programs, including the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.8 The HIPAA Security Rule sets national standards to safeguard individuals’ electronic personal health information handled by covered entities. It mandates the implementation of administrative, physical, and technical measures to ensure the confidentiality, integrity, and security of electronic protected health information.9

On March 22, 2024, the Health Care Cybersecurity Improvement Act of 2024 (S. 4054) was introduced, which would allow healthcare providers to receive advanced payments in the event of a cyber incident if they are adhering to minimum cybersecurity standards.10,11 This legislation comes in response to a cyberattack on Change Healthcare, which had paused billing services for many healthcare providers, putting them at risk of going bankrupt.10 The Health Care Cybersecurity Improvement Act aims to amend the current Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance Payment Program by introducing several key changes. It also requires the HHS Secretary to determine if the need for payments is due to a cyber incident.10,11

Healthcare cybersecurity threats come in many forms and target a variety of systems, making it a key focus for medical information threat. However, the healthcare industry lags behind other major sectors in securing critical data, making it particularly vulnerable.12 Therefore, healthcare organizations should implement a comprehensive hospital cybersecurity strategy to guarantee patient safety and protect all devices from misuse and attacks. This approach can ensure that every connected medical device, as well as any device containing data classified as patients’ protected health information or personally identifiable information, is fully secured.13 Investing time and resources in safeguarding healthcare technology and ensuring the confidentiality of patient information against unauthorized access are essential.

Author Bio:

Renee Chuang MS

Renée Chuang, M.S.

Renée completed her undergraduate education in Biochemistry and Sociology at the University of Oregon. She then received her Master of Science in Global Health at National Taiwan University. Currently, she is pursuing her DrPH in Health Policy and Leadership at Loma Linda University School of Public Health. Her research interests include patient-provider relationships and quality of care. When she is not studying, she can be found exploring local coffee shops in LA or training for a marathon.

References

  1. https://www.himss.org/resources/cybersecurity-healthcare
  2. https://www.cyberark.com/what-is/healthcare-cybersecurity/
  3. https://aspr.hhs.gov/cyber/Documents/Health-Care-Sector-Cybersecurity-Dec2023-508.pdf 
  4. https://www.aha.org/center/cybersecurity-and-risk-advisory-services/importance-cybersecurity-protecting-patient-safety 
  5. https://www.hipaajournal.com/security-breaches-in-healthcare/ 
  6. https://energycommerce.house.gov/posts/what-we-learned-change-healthcare-cyber-attack
  7. https://www.hipaajournal.com/hhs-publishes-healthcare-sector-cybersecurity-strategy/ 
  8. https://www.hhs.gov/about/news/2023/12/06/hhs-announces-next-steps-ongoing-work-enhance-cybersecurity-health-care-public-health-sectors.html 
  9. https://www.hhs.gov/hipaa/for-professionals/security/index.html 
  10. https://www.warner.senate.gov/public/index.cfm/2024/3/responding-to-change-healthcare-warner-introduces-legislation-to-protect-providers-in-the-event-of-future-hacks-requiring-minimum-cybersecurity-standards 
  11. https://www.warner.senate.gov/public/_cache/files/9/1/912e96f3-6819-42f2-b6bc-11b4ed794889/A3B1C470B439B26BBC83E6C7FFFFFA34.goe24245.pdf 
  12. https://content.iospress.com/download/technology-and-health-care/thc1263?id=technology-and-health-care%2Fthc1263 
  13. https://ordr.net/article/what-is-healthcare-cybersecurity