Home What’s Going on With Cybersecurity Regulations in Healthcare?

What’s Going on With Cybersecurity Regulations in Healthcare?

TL;DR

The healthcare industry is facing new cybersecurity regulations from the HHS, including Cybersecurity Performance Goals, to combat rising cyber threats. Organizations must adopt a proactive security strategy and align with frameworks like NIST to protect patient data and ensure compliance.

The digital transformation of healthcare has brought immense benefits, from electronic health records to telemedicine services. However, this transformation has also expanded the attack surface for cybercriminals. The healthcare industry is now a prime target for malicious activity like ransomware attacks, data breaches, phishing scams, and insider threats.

Healthcare Threats by the Numbers

88% of healthcare organizations experienced cyber-attacks in the past year.¹
Operational disruptions due to cyberattacks had an average cost of $1.3 million.²
Ransomware hit 141 hospitals in 2023; the average ransom was $1.5M per institution.³
64% of practices experienced an average of four supply chain attacks in the last two years.⁴
77% of those experiencing supply chain attacks reported an impact on patient care.⁵

The Goal of Cybersecurity in Healthcare

A crucial component of overseeing a healthcare practice involves addressing the cybersecurity risks inherent to the digital landscape. To safeguard electronic data and digital assets against unauthorized access, utilization, and exposure, healthcare executives need to implement robust security protocols. These measures aim to protect sensitive patient information, healthcare records, and personal details from the threats posed by hackers, cybercriminals, and other malicious entities.

According to HIMSS, “There are three goals of cybersecurity: protecting the confidentiality, integrity and availability of information, also known as the CIA triad.” Confidentiality involves maintaining the privacy of critical information and preventing unauthorized access. Integrity ensures the data's accuracy and guards against unauthorized modifications. Availability ensures that authorized individuals have prompt and dependable access to information, ensuring its availability whenever needed.

Understanding the Shift in the Healthcare Landscape

In response to the escalating cyber threat landscape, the Biden administration and the Department of Health and Human Services (HHS) have introduced critical regulatory changes. These measures, including the HHS Cybersecurity Performance Goals and the HIPAA Security Rule and NIST CSF implementation guide, set new benchmarks for cybersecurity practices within healthcare.

Biden Proposed Regulations for Healthcare Cybersecurity

The Biden administration has proposed new cybersecurity regulations aimed at fortifying the digital infrastructure of critical sectors, including healthcare. These regulations are designed to enhance the cybersecurity standards within the healthcare sector to protect sensitive patient data and healthcare services from cyber threats, promoting a secure and resilient healthcare ecosystem.

Free Guide: How Healthcare Organizations Reduce Cyber Risk

Get the Guide

HHS Cybersecurity Performance Goals

The Department of Health and Human Services (HHS) has introduced Cybersecurity Performance Goals to provide healthcare organizations with a structured framework to enhance their cybersecurity measures. These goals aim to help healthcare entities identify and prioritize their cybersecurity initiatives to protect patient information and healthcare systems effectively.

Comprehensive Cybersecurity Framework: Guides healthcare organizations in prioritizing and focusing on critical areas for cybersecurity protection.
Robust Cybersecurity Posture: Emphasizes the importance of safeguarding patient information and healthcare systems from cyber threats, thereby ensuring the availability of healthcare services.

HIPAA Security Rule and NIST CSF Implementation

NIST SP 800-66 Rev. 2 maps the HIPAA Security Rule with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), offering a comprehensive implementation guide for healthcare organizations. This guide aids in enhancing the protection of electronic protected health information (ePHI) while ensuring compliance with the HIPAA Security Rule.

Potential Resurgence of HIPAA Audits

The rumored return of HIPAA audits underscores a greater emphasis on compliance and accountability within the healthcare sector. These audits aim to evaluate healthcare organizations' adherence to HIPAA rules, focusing on the protection of patient information and the security of healthcare systems.

Health Sector Coordinating Council (HSCC)’s Five-Year Strategic Plan

The HSCC's Five-Year Strategic Plan outlines a collective effort to enhance cybersecurity across the healthcare sector. This plan emphasizes collaboration between public and private healthcare entities to develop and implement effective cybersecurity solutions, aiming to strengthen the sector's defenses against cyber threats.

The healthcare industry's cybersecurity landscape is undergoing significant changes, driven by an increase in cyber threats and a dynamic regulatory environment. By understanding these challenges and implementing a proactive cybersecurity strategy, healthcare organizations can protect themselves and their patients from the potentially devastating impacts of cyber-attacks.

Discover how your healthcare organization can enhance its cybersecurity strategy and stay ahead of the curve. Learn more how our vCISOs can guide you through these regulatory updates today.

References

1 HIPAA Journal, “August 2023 Healthcare Data Breach Report”

2 Healthcare Finance News, “Patient care threatened by ever-increasing cyberattacks”

3 Health Sector Coordinating Council (HSCC), “Cybersecurity Strategic Plan”

4 Healthcare Finance News, “Almost 80% of healthcare organizations experienced cyber incidents in the past year”

About ArmorPoint

ArmorPoint, LLC is a managed cybersecurity solution that combines the three pillars of a robust cybersecurity program — people, processes, and technology — into a single solution. Designed by cybersecurity experts, ArmorPoint’s cloud-hosted SIEM technology and extended detection and response capabilities enable businesses to implement a highly-effective, scalable cybersecurity program. With customizable pricing available, every ArmorPoint plan offers a dynamic level of managed security services that support the risk management initiatives of all companies, regardless of available budget, talent, or time. ArmorPoint is developed and powered by Trapp Technology, Inc., a Phoenix-based IT managed services provider. To learn more about ArmorPoint, visit armorpoint.com.

About the Author

Ashlyn Burgett

aburgett@trapptechnology.com

Content Manager

Related Insights

Articles

MXDR vs XDR vs MDR: What’s the Difference and Which Do You Need?

What is the Difference Between MXDR, XDR, and MDR? At a glance, MXDR, XDR, and MDR can seem like variations of the same idea. They all focus on detecting and responding to threats. But the difference comes down to scope, ownership, and outcomes. XDR is designed to give you better…

Articles

Top Cybersecurity Threats in the Oil and Gas Industry

The Oil and Gas Industry is Operating in a High-Stakes Threat Environment Oil and gas organizations are facing a fundamentally different cybersecurity reality than they were even a few years ago. This is not just about protecting data anymore. It is about protecting operations that power economies, supply energy to…

Articles

Optimizing Syslog Collection: Best Practices for High-Volume Environments

Why is Syslog Still Critical in Modern Security Operations? Syslog remains one of the most widely used and essential methods for collecting event data from network devices such as firewalls, routers, switches, and other infrastructure components. While modern environments increasingly rely on APIs and endpoint agents, syslog continues to serve…

Subscribe to Our Insights

Receive exclusive updates, industry news, and advice for future-proofing your business delivered straight to your inbox every month.