Healthcare providers across the United States are facing a significant challenge in cybersecurity, with a rising number of hacking and IT incidents causing data breaches that impact millions of individuals. According to the U.S. Department of Health and Human Services, the top 15 data breaches this year alone affected a staggering 24,755,791 individuals.
WHY DATA BREACHES MATTER
The two largest healthcare data breaches this year were reported by Change Healthcare, affecting 100 million individuals, and Kaiser Foundation Health Plan, affecting 13.4 million individuals. These breaches highlight the vulnerability of healthcare providers’ network servers to hacking and unauthorized access, making them prime targets for cybercriminals.
Among the 15 healthcare provider organizations that suffered catastrophic data breaches this year are Ascension Health, Concentra Health Services, Inc., and Acadian Ambulance Service, Inc., affecting millions of patients. The impact of these breaches on patient data security and privacy is concerning, emphasizing the need for stronger cybersecurity measures in the healthcare industry.
One notable incident that is currently under investigation involves a cyberattack on PIH Health, where hackers claim to have stolen about two terabytes of data, including 17 million patient records. If confirmed, this breach could push the total number of individuals affected in the top 15 data breaches to over 40 million.
ADDRESSING CYBERSECURITY THREATS
UnitedHealth Group’s response to the ransomware attack on Change Healthcare highlights the importance of rebuilding with cloud-based security measures to prevent future incidents. The outage caused by the attack not only exposed a significant amount of protected health information but also disrupted patient care, underscoring the need for robust cybersecurity protocols in healthcare organizations.
To combat the escalating threat of healthcare cyberattacks, the Office for Civil Rights announced a Notice of Proposed Rulemaking to modify the Security Standards for the Protection of Electronic Protected Health Information under HIPAA. The proposed changes include requirements for encryption of ePHI, implementation of multifactor authentication, and inventory of technology assets to enhance data security.
As OCR Director Melanie Fontes Rainer stated, cyberattacks continue to impact the healthcare sector, necessitating updates to the HIPAA Security Rule to address the evolving cybersecurity landscape. These proposed changes aim to strengthen data protection measures and mitigate the risks posed by cyber threats in healthcare.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
