Privacy & Security

It was another record-breaking year for healthcare cyberattacks, and healthcare providers' network servers were again prime targets for hackers.

The agency seeks to make its first HIPAA Security Rule update since 2013 to clarify what health plans, healthcare clearinghouses, providers and their business associates must do to protect the security of electronic protected health information.

Chike Okeke, chief information security officer of data exchange company Concord, offers his perspective on the safe and secure transfer of protected health information.

"The usage of AI and automatic vulnerability scanning performed by the attackers allows them to find an exposed IoT device and conduct an attack on it much quicker than they used to be able to," says one security researcher in a new report.

A cyberattack on May 8 against healthcare giant Ascension resulted in the medical data of 5.6 million customers being exposed, according to a filing with the Maine attorney general’s office published on December 20. WHY IT MATTERS In June, the health system determined that an attacker gained access to its systems after an employee at one of its facilities inadvertently downloaded a malicious file, believing it to be legitimate. The organization stated there was no indication that the incident was anything other than an honest mistake. Months of investigation with third-party experts also led to Ascension determining sensitive data belonging to current and former patients, senior living residents, and employees was potentially exposed. A December 19 announcement from Ascension noted the compromised information varies by individual and may include medical details such as medical record numbers, dates of service, lab test types and procedure codes. Payment information, including credit card or bank account numbers, insurance details ranging from Medicaid and Medicare IDs to policy numbers and claims, government identification, including Social Security numbers, tax IDs, driver’s licenses or passports, and personal information such as addresses and dates of birth were potentially involved. Ascension also confirmed its electronic health records and other core clinical systems, where full patient records are securely stored, were not accessed during the attack. THE LARGER TREND Among the other major healthcare breaches in 2024 include a cyberattack against Change Healthcare in February, which impacted 100 million people – the largest breach ever reported to federal regulators. In April, Kaiser Permanente reported that 13.4 million people were affected by a data breach that exposed patient and plan members' information. Meanwhile, legislation is being proposed to bolster healthcare cybersecurity defense in the form of the Health Care Cybersecurity and Resiliency Act. The bipartisan bill, introduced in November, would offer grants to healthcare organizations to help them shore up their ability to prevent and respond to cyberattacks. Meanwhile, governance remains a concerning weak point in healthcare, even as cyberattacks are becoming more prominent and the risks of IoT medical devices are coming into sharper focus. ON THE RECORD Tim Rawlins, senior adviser and director for security at cybersecurity consultancy NCC Group, noted healthcare will always be an attractive target, given the sheer quantity of sensitive data organizations hold and the need to make information available to the medical staff as quickly as possible. "Basic cyber security measures, individual log ins, multi-factor authentication, and patched, secure and monitored systems will go a long way to preventing these attacks," he said. Nathan Eddy is a healthcare and technology freelancer based in Berlin. Email the writer: nathaneddy@gmail.com Twitter: @dropdeaded209    

A large children’s hospital is seeing significant cost and time savings after implementing RFID to track high-value medications.

Janice Reese, program manager of FAST (FHIR at Scale Task Force), says making patient access simpler is a key benefit, along with identity consent and security.

The Healthcare Cybersecurity Improvement Act, introduced by Rep. Robin Kelly, offers statutory protections for HC3 and funds a grant program to help small and medium-sized hospitals bolster their defenses, among other provisions.

Dr. Eric Liederman, CEO of CybersolutionsMD, joined MobiHealthNews to discuss why healthcare organizations should assess their vulnerability and prepare for ransomware attacks.  

The shutdown disrupted critical healthcare services across the state and exposed Nebraskans' PHI, the lawsuit alleges.