In 2023, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights reported 725 significant digital security breaches in health care, surpassing the previous year’s 720 breaches.
If numbers from the last eight years are any indication, this trend will likely continue. From 2021 to 2022, cyberattacks among ambulatory surgery centers (ASCs) alone rose 31% to a total of 235, according to a report from Critical Insight.
In June 2024, the Ambulatory Surgery Center of Westchester (ASCW), Mount Kisco, New York, announced a data security incident that may have impacted data belonging to certain employees and patients.
The breach was uncovered when unusual activity was spotted in an employee’s email account. The organization engaged in digital forensics and employed an incident response firm to investigate, determining whether any data within the mailbox may have been affected.
The ASC then undertook a comprehensive review of the potentially affected data and found that certain personal and protected health information were contained in the account. ASCW then provided written notification of the incident to impacted individuals and implemented additional measures to enhance network security, minimizing the risk of a similar incident occurring in the future.
While cyberattacks happen in all industries, health care is notably clashing with them.
Many organizations battle with basic security measures and consistently struggle to adhere to best practices. In addition, the health care sector is especially interesting to criminals due to the vast amount of sensitive personal and health information that could be valuable in extorting victims.
This data can be used for identity theft, health care insurance fraud and other deceitful activities; therefore, each medical record can be worth thousands of dollars on the black market.
“There is a great deal of variance regarding security posture,” Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society (HIMSS), told ASC News. “This is due to ownership, available budget and company culture. The entity with deeper pockets may have more robust cybersecurity practices, but only if the owners prioritize cybersecurity. Centers with better funding are more likely to have modern security solutions and infrastructure.”
HIMSS is a global member-based society focused on reforming the global health ecosystem through information and technology.
The Chicago-based nonprofit offers expertise in health innovation, public policy, workforce development, research and digital health transformation.
Cybersecurity goals in action
In December 2023, HHS published plans to improve resilience and limit the severity of these attacks to offer guidance on combating them.
Further supporting these plans, HHS unveiled voluntary cybersecurity goals (CPGs) consisting of measures with the most significant impact on security and an update to the HIPAA Security Rule to add new cybersecurity requirements.
Two tiers of CPGs, essential and enhanced, were developed based on the Cross-Sector CPGs released by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
These initial CPGs were intended to serve as a cybersecurity baseline for all critical infrastructure organizations. The aim is to get all health care organizations to adopt essential CPGs to make it difficult for hackers to access networks and provide incentives to bolster their cybersecurity programs.
Essential CPGs are intended to aid organizations in addressing common vulnerabilities to improve security and incident response and minimize residual risk. Enhanced CPGs help organizations mature their cybersecurity capabilities and improve defenses against these attacks.
“The HPH-specific CPGs were developed based on the health care sector’s unique risks and challenges,” Kim said. “They are intended to improve an organization’s response to incidents and minimize residual risk. The HPH-specific CPGs are aligned with CISA’s cross-sector cybersecurity performance goals, which are also voluntary.”
Voluntary goals help organizations focus their efforts and prioritize their cybersecurity programs, experts told ASC News.
“They’re especially helpful in determining what to tackle when you have limited resources in an evolving environment,” Jeremy Carriger, chief information security officer at Arcadia, told ASC News. “They’re also beneficial for benchmarking an organization’s cybersecurity program to understand if they’re doing enough in a particular area.”
Boston-based Arcadia offers an interoperable data platform that uses analytics to help payers and providers shape strategies, inform decisions and facilitate actions.
“The HIPAA Security Rule does not specify how the various requirements are to be satisfied,” Kim added. “[The organization’s] compliance team and in-house legal counsel or retained outside counsel can work to ensure HIPAA compliance while incorporating the new cybersecurity requirements. As the threat landscape changes, so must our security measures.”
Along with these CPGs, Kim suggests addressing common vulnerabilities and improving incident response with a risk assessment.
Carriger agreed.
“Health care organizations can address common vulnerabilities and minimize cyber-attack risks by completing an annual risk assessment and augmenting those assessments through regular scans and penetration tests,” Carriger said. “Often, these exercises will help you identify technical weaknesses in your program that you should record and track to ensure you’re following up to patch them. Additionally, tabletop exercises – both at the leadership and tactical responder levels – can pressure test your incident response plan and promote awareness and adherence to your plan.”
Carriger also said organizations should implement tools to contain an incident, such as an endpoint detection and response service that continuously monitors the organization for threats.
“These services also allow you to act quickly to contain and minimize the impact in the event of an incident,” he said. “Similarly, organizations should have a robust backup and recovery plan to support business continuity. For example, if your organization relies on VoIP phones, how will you maintain connectivity and communications if an incident forces a network outage?”
Recent cybersecurity incidents in health care have specifically taught operators that human factors leave organizations vulnerable.
“For example, phishing remains one of the most common attack vectors,” Carriger said. “Consequently, it’s important to prioritize employee training and promote a culture of security awareness. I recommend organizations move beyond annual training to an ‘always on’ or ‘steady drip’ approach.”
Multi-factor authentication (MFA) can be especially helpful.
“Organizations can take this a step further by implementing so-called ‘push bombing’ resistant techniques,” Carriger said. “These require users to complete multiple steps to approve an MFA request, such as entering a one-time password and approving a prompt.”
Another best practice health care organizations should prioritize is layering in a conditional access policy.
“These simple business rules restrict or prevent access to an environment to thwart bad actors,” Carriger said.
Legislation in the words
On July 11, U.S. Senators Jacky Rosen, a Democrat from Nevada, Todd Young, a Republican from Indiana, and Angus King, an Independent from Maine, introduced the bipartisan Healthcare Cybersecurity Act.
The act is intended to direct the CISA and the HHS to collaborate on improving cybersecurity and make resources available to non-federal entities relating to cyber threat indicators and appropriate defense measures.
It would also create a special liaison to HHS within CISA to coordinate during cybersecurity incidents and collaborate to support healthcare and public health sector entities.
“Health care cyberattacks are a growing threat nationwide,” Senator King, co-chair of the Cyberspace Solarium Commission, said in a statement. “These attacks and breaches of data can mean the difference between life and death for patients, significantly impact hospital operations, and – with the average hack costing millions to address – increase health care prices across the board. The bipartisan Healthcare Cybersecurity Act will take important steps toward protecting patients’ data and healthcare provider capabilities and bolstering our cybersecurity infrastructure response.”