This month, following increasing cyber attacks and evolving tactics, the Biden administration has released a concept paper building on the national strategy released last year. The paper focuses specifically on strengthening resilience for hospitals, patients, and communities threatened by cyber-attacks. The paper details four pillars for action, including publishing new voluntary health care-specific cybersecurity performance goals, working with Congress to develop supports and incentives for domestic hospitals to improve cybersecurity, and increasing accountability and coordination within the health care sector. Is anyone predicting this will help the continued attack on our healthcare data? Is anyone predicting required minimum standards will happen and help?
And join us for the next few weeks as we look at what we might see in 2024.
In 2024, I believe advanced persistent threat actors will continue to become more sophisticated in exploiting user behavior. The rapid use and adoption of Generative AI will assist with creating targeted user attacks, as well as make it easier for users to leak sensitive data, inadvertently implement nonpermissive code, and unwillingly create vulnerable software.
In 2024, I predict a continued surge in cyber-attacks, ransomware incidents, and OCR Resolution Agreements concerning privacy, security, and compliance in healthcare data exchange. Despite the presence of the HIPAA Safe Harbor Law, there appears to be a repetitive tendency among HIPAA-covered entities and business associates to overlook third-party accreditation/certification, resulting in missed compliance measures including risk analysis and understanding the implications of Privacy Individual Rights in handling sensitive information. Simultaneously, technological progression, particularly in AI usage, is reshaping the way data is handled. On a positive note, the increasing interoperability in our data exchange landscape is accompanied by evolving policies and technical requirements aimed at safeguarding data.
If New York Gov. Kathy Hochul’s proposal to make New York the first in the U.S. to require hospitals to adopt minimum cybersecurity standards passes, we could see other states take up similar initiatives to begin moving the sector toward baseline cybersecurity requirements. Adherence requirements to baseline, ability to adapt such measures to fluid threats, and the grant mechanics will be critical to the success of any proposed program, particularly with the need to align to the prescriptive foundation laid by the Health and Public Health Cyber Security Coordinating Council and the HHS’ 405d Health Industry Cybersecurity Practices.
The increased threat posed to patient safety by the ongoing targeting of cybercriminals and ransomware attacks is a critical risk to the nation. And as an industry, we need federal support in the form of resources and workforce development programs to protect at-risk hospitals and health systems from the monthlong outages we’re seeing today.
In 2024, Generative AI is expected to contribute to a 16% increase in data breaches, simplifying and expediting social engineering attacks like AI-based spear phishing, vishing, and Large Language Models with AI and Machine Learning. Mitigating these risks requires robust security and awareness training, with additional NIST guidance anticipated in the year ahead. Gartner forecasts that by the end of 2024, data privacy regulations will cover personal data for three-quarters of the global population, prompting companies to allocate an average annual budget exceeding $2.5 million for privacy, according to the Innovation News Network. This necessitates enhanced internal and external measures for storage, data exchange, and access to personal data to mitigate the escalating risk of breaches and cyber-attacks.
With the inevitability of data breaches in healthcare, organizations need to keep a determined commitment to safeguarding protected health information (PHI). The journey toward privacy, security, and compliance can be crystalized in five key steps:
- Understand your risk: Recognize the increasing threat of data breaches in healthcare, considering the rising number of affected business associates.
- Start small: Begin the certification journey with smaller, specialized certifications before tackling larger ones.
- Read and follow the instructions carefully: Accrediting bodies may have specific policies and procedures.
- Know when to ask for help: For organizations new to the certification process, seeking assistance from experienced consultants can aid in understanding requirements.
- No cookie-cutter approach to compliance: Recognize the diversity among healthcare organizations handling protected health information – flexibility is crucial in the audit process.
For healthcare organizations, protecting the privacy and security of sensitive patient data is of critical importance. I recommend the following points as a framework to strengthen an organization’s security posture:
- Identify Scope: Define systems, processes, and services handling sensitive data.
- Risk Assessments: Conduct comprehensive risk assessments to identify vulnerabilities and inform security controls.
- Security Controls: Implement robust controls, including identity access management, strong encryption, intrusion detection, and comprehensive and continuous employee training. Use a standard framework such as the NIST Cybersecurity Framework.
- Documentation: Develop and maintain detailed documentation outlining security practices, procedures, and guidelines for consistency and clarity.
- Continuous Monitoring: Regularly monitor systems and processes, conducting internal and external audits to ensure security effectiveness and regulatory compliance.
- Continuous Improvement: Commit to ongoing improvement by regularly reviewing and updating security controls, policies, and procedures to adapt to evolving threats and regulatory changes.
The cost of data breaches in healthcare, on average, exceeds those of any other industry, which makes it critical for healthcare organizations to focus intently on security and compliance to protect patient data. For providers, managing the risks associated with handling sensitive payment data is one of the most significant challenges of transaction processing. Providers need to ensure that their patient payment platforms deliver comprehensive risk management and security in a scalable form.
To preserve patient safety, security, and privacy, it will become essential that healthcare leaders thoughtfully address how to handle the inevitable errors and problems that will occur as a result of the industry’s rapid adoption of artificial intelligence. While the federal government has outlined plans to regulate AI, numerous questions remain about how regulators will enforce acceptable use of the technology. Next year, we hope the industry gains more clarity on these important issues.
Leveraging data for quality improvement and patient outcomes within healthcare organizations is quickly becoming a key way to gain a competitive edge. When the talent of an organizations greatest minds is able to work through their problems on real data, the quality of discovery and improvement projects goes up. In the coming years, more pressure will be put on IT staff needing to constantly satisfy this ever-growing, data-hungry group of front-line leaders.
In the era of rapid digitization and adoption of cloud technologies, AI-enabled cyberattacks are on the rise. Organizations are struggling to deal with security challenges brought on by these sophisticated attacks. The best way to adapt and evolve to address new emerging cyberthreats in 2024 is to adhere to industry standard best practices while also layering in new technologies and strategies of responsible AI to fortify defenses and create proactive elements into enterprise security. Besides the assessment of existing systems, an organization needs to consider the following: Understand workflow-based needs; identify redundancies, ease of user training and adoption, scalability, security, and compliance needs; and interoperability of data.
This past year saw an unprecedented increase in data theft and ransomware attacks against hospitals and health systems, according to the American Hospital Association. Unfortunately, as we enter 2024, the volume of attacks on provider organizations shows no sign of easing. Perhaps even more ominously, threat actors are expanding the targets of their attacks beyond large, prominent healthcare providers and insurers to organizations of all sizes. Smaller organizations typically lack the budget, resources, and in-house security expertise to effectively detect and defend themselves against cyberattacks. It would be bad enough if such attacks disrupted operations and exacted financial cost, but they also can contribute to patient harm and even death. We expect healthcare organizations of all sizes to increase their awareness of these threats in 2024 and take steps to protect themselves and their patient data.
In 2024, the healthcare industry will continue to prioritize security, privacy, and compliance as critical concerns. We will see an increased emphasis on AI as it becomes more integrated into healthcare systems and need to grapple with issues of data privacy and the ethical use of patient information. With the continued expansion of healthcare into home settings, particularly through telehealth and remote monitoring, we will also see an increased need to secure and protect remote communications and patient data. Finally, with the increased value of healthcare data, we must brace for an escalation of cyberattacks by implementing stronger security protocols, continuous monitoring, and regular risk assessments to effectively safeguard sensitive patient information and healthcare systems.
I predict that 2024 will be a pivotal year in healthcare tech as AI continues to take center stage. This emphasis on AI will intensify the need for healthcare AI systems to adhere strictly to privacy, security, and compliance standards. It’ll be about making this digital evolution in healthcare as secure as it is groundbreaking.
By David Finn, Vice President, College of Healthcare Information Management Executives (CHIME)
LinkedIn: David (Samuel) Finn
It is very difficult to talk about 2024 without starting from where we are ending 2023. We only need to go back to Thanksgiving to paint the picture of healthcare cybersecurity in 2023. Over Thanksgiving weekend, a single ransomware attack left 30 hospitals across 6 states without network services. This resulted in diversions and re-scheduling of non-emergency procedures – – not a lot to be Thankful for, for anyone. This attack was the latest in a series of attacks on healthcare organizations – – in a year of a record number of ransomware attacks in the sector. Read the entire article.