The Future of Healthcare Cybersecurity—What You Need to Know About New Regulations

In 2023, healthcare and public health had the highest number of reported ransomware attacks in the United States. There is a reason this sector is such a target for ransomware and cybersecurity threats: it harbors a significant amount of private and incredibly sensitive data. 

---

In 2023, healthcare and public health had the highest number of reported ransomware attacks in the United States. There is a reason this sector is such a target for ransomware and cybersecurity threats: it harbors a significant amount of private and incredibly sensitive data. 

Unfortunately, 2024 is proving to be no exception to the surge of cybersecurity threats. As the industry reels from the Change Healthcare ransomware attack that occurred in February, regulatory bodies are addressing these threats with new and updated regulations. 

For healthcare providers, understanding these evolving requirements and regulations is paramount to maintaining compliance, protecting patient data, and safeguarding their practices. That’s why we’ve gathered the latest cybersecurity regulations, key updates from the past year, and a look at what’s on the horizon.

The Ongoing Impact of Ransomware Attacks

The healthcare industry is no stranger to the impact of ransomware attacks this year. Over 31 million Americans were negatively impacted by healthcare cyber attacks and data breaches in the first half of 2024. The most damaging ransomware attack so far occurred on February 21, 2024. Change Healthcare, a critical clearinghouse and technology provider for the healthcare industry, was the victim of a ransomware attack by ALPHV/Blackcat. The group stole four terabytes of data, shutting down the largest health payment system in the United States. In the months since, Change Healthcare and many other organizations have taken strong measures to heighten the security of their systems. 

As ransomware attacks have increased in both number and scale, they have resulted in extended periods of downtime, operational challenges, and security risks. The financial impact can’t be overstated; recovery costs, legal and regulatory fees, and reputation damage—all of which can be incredibly costly for healthcare organizations. According to Statistica, the average data breach in the United States cost $9.48 million as of 2023, an increase from 2022’s average of $9.44 million. The figure may even be higher, with IBM and the Ponemon Institute reporting the average cost to be $10.10 million in 2023. Regardless of the exact figure, there is no question that healthcare organizations must prioritize cybersecurity measures and compliance with changing regulations, which we detail below. 

There is also the loss of personal health data, decreased employee productivity, reduced morale, and loss of trust from patients and employees. Ultimately, data breaches can be devastating to healthcare systems on numerous fronts. 

New Cybersecurity Regulations in Healthcare

Cybersecurity regulations continue to evolve to reflect the current landscape of threats, trends, and best practices. As such, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) published a new, final version of guidance for regulated healthcare entities to follow, entitled “Special Publication (SP) 800-66 Revision 2,” on February 14, 2024.

This guidance was established to improve cybersecurity and compliance with the Health Insurance Portability and Accountability (HIPAA) Security Rule. It builds on the July 2022 version and emphasizes flexibility in implementing the HIPAA Security Rule.

Here are the key takeaways for healthcare providers:

• Customization: Compliance approaches should be tailored to the risks and needs of each organization. Customized risk assessment and management strategies are strongly encouraged. Each entity can leverage the provided frameworks and outside methodologies as needed. 
• Implementation: Entities are encouraged to prioritize their defense against threats such as ransomware attacks by reviewing their cybersecurity practices and risk management plans. 
• Electronic Personal Health Information (ePHI): ePHI must be protected; risk is not removed by outsourcing its protection to a third party such as a business associate or contracted workforce. The responsibility of protecting ePHI lies with the regulated entity. 

On December 6, 2023, HHS released a concept paper outlining the Department’s cybersecurity strategy for the healthcare sector. Its focus areas include:

1. Publishing new voluntary healthcare-specific cybersecurity performance goals
2. Working with Congress to develop supports and incentives to improve cybersecurity in domestic hospitals
3. Increasing accountability and coordination within the healthcare sector
4. Expanding the one-stop shop within HHS for healthcare sector cybersecurity

The concept paper stresses the importance of adopting robust cybersecurity frameworks and practices, such as implementing advanced threat detection systems and conducting regular security assessments. It also advocates for enhanced incident response plans and the establishment of clear communication channels for reporting breaches.

The Future of Healthcare Cybersecurity: What’s Next?

The Healthcare Cybersecurity Act was introduced by a group of bipartisan senators to strengthen the healthcare sector’s cybersecurity posture. It directs the Cybersecurity and Infrastructure Security Agency (CISA) and the HHS to collaborate on improving healthcare cybersecurity and disseminate resources about cyber threat indicators and defense measures. 

It would also create a special liaison to HHS within CISA to coordinate responses during cyberattacks. The bill calls for the creation of a task force dedicated to creating and enforcing healthcare-specific cybersecurity standards. The Healthcare Cybersecurity Act includes provisions for increased funding to support cybersecurity initiatives within healthcare organizations.

Looking ahead, we can expect to see more regulations and compliance standards in an effort to bolster healthcare’s cybersecurity protections. In response to these evolving standards, healthcare organizations will likely rely more on technology like artificial intelligence (AI) and methodologies such as Zero Trust architecture. The algorithms within AI can be used to pinpoint anomalies and detect emerging threats so entities can respond in a more proactive, agile fashion. Likewise, the Zero Trust approach calls for the verification of every user and device prior to access, which can help to mitigate threats. 

Best Practices for Keeping Up with Healthcare Cybersecurity Regulations

With increasing attacks, diligence and continuous learning are more important than ever. Staying current with cybersecurity regulations is essential but can be challenging, given the ever-changing nature of the landscape. To remain compliant and in tune with the latest advancements, organizations and providers can follow these best practices:

• Subscribe to industry news publications such as Healthcare Dive, the HIPAA Journal, and Becker’s Healthcare. These reputable sources will keep you up-to-date on the latest developments. 
• Join professional associations like the American Medical Association. They provide resources, training opportunities, and updates on regulatory changes.
• Invest in ongoing training on the latest cybersecurity threats and best practices for relevant staff members. Keeping them regularly informed can significantly reduce the risk of breaches caused by human error. This practice helps to create a security-first culture.
• Regularly audit and assess your cybersecurity stance. Doing so allows you to take a proactive approach to mitigating risks, identifying vulnerabilities, and ensuring compliance.
• Likewise, create and enforce an incident response plan. This plan will detail how your practice will respond to and address potential cybersecurity breaches. 
• Ensure your data is encrypted at rest (i.e., stored on a device or server) and in transit (e.g., actively being transferred across a network). This step is essential to protecting data if other security measures are compromised. 
• Keep security systems up to date with the latest patches and updates. This helps minimize vulnerabilities that attacks can use to obtain access to and expose your data.

At RXNT, we’re at the forefront of integrating cutting-edge biometric technology to elevate security and user experience. By incorporating multi-factor authentication with biometric features, we’re setting new standards in reliability and protection. 

Interested in learning how this technology can enhance your practice? Reach out to RXNT to learn how we can support the safety of your patients, streamline your operations, and protect your revenue.