Personal health information (PHI) in the form of electronic health records (EHRs) is a valuable target for cybercriminals. According to Managed Healthcare Executive, health agencies saw a 125 percent increase in data breaches in the last five years, while CSO Online notes that more than 392 million PHI records have been disclosed from nonhealth organizations keeping critical data on file — for example, finance, insurance and educational institutions.

To address these challenges the federal government has been shoring up support for the Health Insurance Portability and Accountability Act (HIPAA), but increasing compliance has done little to curb the rash of network attacks. Is HIPAA history in a post-EHR world?

Big Numbers, Big Risk?

According to the Centers for Disease Control (CDC), roughly 1.2 billion visits are made to physicians’ offices, emergency rooms and outpatient facilities each year. In the vast majority of these cases, doctors access EHRs to modify, transmit or record PHI and streamline the treatment and diagnostic process.

As HIT Consultant points out, however, the implementation cycle of health care IT is extremely long; while HIPAA passed in 1996, it wasn’t until 2003 that standards for electronic transactions were put in place. And despite widespread EHR adoption, the age and type of IT infrastructure used to access these records varies substantially.

Some of this infrastructure is decades old and relies on clunky, outdated desktops. Some is more modern and designed to be used with mobile devices but often doesn’t support the level of security necessary to ensure safe storage and risk-free transmission of data within — or beyond — the walls of a doctor’s office or hospital.

Forbes puts it simply: Health care agencies have become too focused on compliance with HIPAA and Affordable Care Act (ACA) regulations as a way to protect patient data despite the growing number of breaches of HIPAA-compliant databases. Why the disconnect? Because HIPAA and other health care acts aren’t IT security measures but basic handling practices. To secure PHI, a new standard is required.

Emerging Challenges

Ultimately, the health care technology landscape is fragmented as IT pros attempt to balance the usability required by doctors and nurses with the next-gen security required to protect interoperable desktops, mobile devices and cloud-based systems.

As noted by the University of Arizona, federal organizations are making efforts to shore up IT defenses. For example, the FDA recently released a set of guidelines for “wirelessly connected medical devices,” which recommends that manufacturers identify potential points of compromise in their offerings before they hit the market. But these guidelines aren’t enforceable standards; if manufacturers choose speed over security, health care agencies themselves must do the legwork of evaluating security performance.

Other challenges have also emerged. IT Business Edge notes that most health care applications aren’t secure and are susceptible to both code tampering and reverse engineering. Many organizations also rely heavily on the cloud, with “average” health agencies using over 900 cloud services.

The problem? Just seven percent meet typical enterprise security requirements. The Internet of Things (IoT) presents another challenge, with proof-of-concept tests already describing how devices like pacemakers and drug pumps can be hacked and used to harm patients. Bottom line? HIPAA covers only a tiny portion of the IT threat landscape, but is often viewed as a broad defense. The result is a massive — and growing — attack surface for motivated cybercriminals.

A Healthy Outlook?

So how does the health industry transition from mere compliance to cutting-edge IT security? The first step is accepting that all EHR and PHI security is IT security. This, in turn, should drive greater IT spending along with the development of a security-minded culture based on actual risk measurements rather than government-mandated compliance as the gold standard. Enhanced mobile device protection, encrypted data and cloud regulation also play a role in the health care IT treatment plan; to achieve significant results, agencies must opt for holistic rather than specific measures.

Here’s the takeaway: Health care organizations are enterprises. As such, they need comprehensive IT security plans to handle emerging threats. Just as the retail industry must do more than stay PCI DSS compliant to protect user data and banks must go beyond EMV standards to secure financial details, so, too, must health care move beyond the starting point of HIPAA to develop comprehensive, forward-thinking IT strategies.

More from Government

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today