Safeguarding Healthcare systems in the digital age: Navigating threats and new regulations

Healthcare has undergone a digital transformation over the past decade—electronic health record (EHR) adoption is at an all-time high, telehealth has become a key channel for patient care, and innovative technologies are reshaping patient engagement and care delivery. Cyber attacks have kept pace with the change. Hackers are more advanced than ever, targeting providers of all sizes across the healthcare ecosystem, leading to significant disruption year after year. 

Image source

Federal regulation has been slow to keep up, leaving the sector vulnerable as organizations fail to self-regulate and adopt evolving cybersecurity standards. The Health Infrastructure Security and Accountability Act, introduced on September 26th, seeks to close regulatory gaps by crystallizing minimum cybersecurity standards, establishing funding for resource-strapped companies, and increasing penalties for noncompliance. 

In this article, we explore what the new regulation means for healthcare organizations and how they can best safeguard themselves against cyber disruption using strategic technology partners.

FBI names the healthcare sector the #1 target of ransomware

In 2023, the healthcare sector had a total of 725 reported data breaches that impacted over 120 million Americans, making it one of the most breached industries. These headlines continued into 2024 with two large industry players, Change Healthcare and Ascension, falling victim to attacks that could have been prevented with the adoption of standard cybersecurity practices and highlighting the impact of cyber disruptions on patient care. 

Change Healthcare

In February, hackers gained entry to Change Healthcare, the largest healthcare clearinghouse in the US, through stolen credentials. They then launched a denial of service (DoS) attack, leaving Change unable to process millions of health claims over the course of a few weeks and forcing them to pay a $22 million ransom to regain access to their platform. 74% of hospitals reported direct patient care impact as a result of the breach, as eligibility verifications, pharmacy operations, and transmittals and payments were halted while the system was down. 

UnitedHealth Group, the parent company of Change Healthcare, estimates the data breach cost them between $2.3 – $2.45 billion. 

Ascension

In April, Ascension, one of the largest US healthcare systems, fell victim to a ransomware attack after an employee downloaded a malicious file onto a company device. This caused the company to take devices across the organization offline, losing access to patient EHRs and resorting to tracking procedures and medications on paper. 

New legislation seeks to standardize cybersecurity requirements

Senators Ron Wyden and Mark Warner introduced the Health Infrastructure Security and Accountability Act in September to counteract rising healthcare breaches. 

Per Senator Warner, “cyberattacks on our health care institutions threaten patients’ most private data and delay essential medical care, directly endangering Americans’ lives and long term health […] 

The new bill seeks to expand policy established by the 1996 Health Insurance Portability and Accountability Act (HIPAA) and associated regulations like the HIPAA Privacy and Security Rules. HIPAA was designed to protect patient health information, whereas the new bill seeks to protect and strengthen digital operations. Specifically, the Health Infrastructure Security and Accountability Act requires the Department of Health and Human Services (HHS) to develop and enforce minimum cybersecurity standards for healthcare entities. Updates include potential jail time for CEOs who lie about their organization’s cyber posture, mandatory independent cybersecurity audits, the removal of caps on financial punishments previously established under HIPAA, and funding to help resource-constraint hospitals meet the new standards. 

What this means for healthcare organizations

While the Health Infrastructure and Accountability Act still has a ways to go before it becomes a law, it signals an increased legislative focus on cybersecurity. Christine Sublett, a board member, cybersecurity and information risk expert, and CEO of Sublett Consulting, urges organizations to get ahead of regulation. 

“I’ve worked in the healthcare technology and cybersecurity industry for over 25 years and have seen great improvements in the cybersecurity posture of the average healthcare organization. CISOs and executive teams have come to understand that investing in their cybersecurity programs, going beyond what is required by HIPAA to align with recommended frameworks like NIST CSF and HITRUST, can maximize the chances of protecting against current and emerging  threats.”

Over the past 13 years I have advised more than 50 early stage and SMB companies pursuing implementation of different regulatory frameworks, certifications, audits, and industry requirements including NIST CSF, HITRUST, HIPAA, PCI, and SOC 2. Many companies are choosing to implement security frameworks to align their cybersecurity and/or privacy programs with. Boards of Directors’ and executives are becoming cognizant of the cyber risks faced by their organizations, and the cost and other consequences of inaction, including those of a significant cyber incident. 

Partnering for success with Zip Security and Thoropass

Healthcare organizations unsure of how to navigate cybersecurity and compliance regulations should identify trusted external partners to help bridge resource and expertise gaps. 

Zip Security enables companies of all sizes to manage cybersecurity in-house with its all-in-one cybersecurity and IT platform built on top of industry-leading tools. Their opinionated software and white-glove customer support simplify common workflows including onboarding employees, deploying antivirus, and enforcing industry-standard practices such as MFA. They offer one-click deployment of solutions that are compliant with frameworks like HIPAA, SOC 2, PCI DSS, NIST 800-171, and more.

Thoropass helps companies navigate and pass audits efficiently, saving time and resources by integrating directly with their processes. With the OrO way–a first-of-its-kind approach that removes the friction and complexity of traditional infosec compliance processes and IT audits–Thoropass maximizes transparency and efficiency while ensuring the highest quality report and attestations. Hundreds of growing companies use Thoropass’ compliance and audit solution, expert services, in-house auditors, and partner ecosystem to get and stay compliant over the lifetime of their business. They offer solutions for SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS, and other infosec and privacy frameworks.

Together, Zip Security and Thoropass help healthcare companies streamline their cybersecurity and compliance efforts. Zip Security’s all-in-one platform simplifies the deployment of industry-leading tools and ensures HIPAA compliance through automated management workflows, while Thoropass provides expert guidance and audit support to navigate compliance frameworks with ease. Together, they enable healthcare organizations to achieve and maintain regulatory compliance efficiently and transparently.

HITRUST Guide

Get the HITRUST Guide for Health Tech companies

The future of health tech is HITRUST! Get ahead of the curve and understand the how and why of HITRUST in this in-depth guide.

Get the Guide