Addressing health care cyberthreats: Further regulation may be on the horizon

Technology investment in the health care ecosystem is expanding as organizations implement cloud-based infrastructures, electronic medical record systems, enterprise resource planning platforms and generative artificial intelligence solutions. These investments offer care providers the necessary tools and resources to help meet patient demand.

This investment trend is expected to continue to grow substantially. The data compiled below shows the median infrastructure cloud revenue growth for large, publicly traded cloud service providers. The majority of health care organizations buy cloud services from these providers, indicating the spend from the health care industry will continue to increase as well.

However, as health care organizations expand their digital footprint, they must also understand the risks of added reliance on technology, including further exposure of patient-sensitive information that cybercriminals try to mine.

Fallout from Change Healthcare

To appreciate these risks, one can unfortunately look to the recent impact the cyberattack on Change Healthcare has had on the health care ecosystem and its ripple effect on various sectors of the health care economy. Some organizations have experienced care delays, suspension of reimbursement for services, and difficulty making payroll and payments on current liabilities.

Cybersecurity risks in health care will likely not end. Cyberattack mentions in the public documents of health care organizations from January to mid-April have been escalating and are set to exceed last year’s total.

Regulatory reaction

Regulatory authorities are reacting to cybersecurity threats in the health care ecosystem. Since the Change Healthcare breach, the Department of Justice, the Department of Health and Human Services’ Office for Civil Rights, and some state attorneys general have acted to investigate various issues stemming from the Change Healthcare cyberattack.

As a result, additional regulatory actions around cybersecurity compliance and transparency of cyber risk management practices are likely to roll out for health care organizations.

To that end, actions that organizations should consider include:

• Improving business continuity planning practices
• Enhancing standards in minimum cyber insurance coverage, especially as it relates to foreign versus domestic hackers
• Ensuring transparency in third-party/vendor risk management programs around patient information

Other considerations include:

• Assessing whether third-party vendors have sufficient safeguards in place when handling sensitive patient data
• Having a diligent risk response and business continuity program in place when an attack is attempted

The takeaway

Health care organizations are investing heavily in technology, from cloud computing to AI. Greater investment will provide better tools for staff and improve patient care; however, this digital expansion creates additional security risks. With cyberattacks on the rise, and the Change Healthcare incident showing how disruptive a breach can be, health care leaders must prioritize cybersecurity alongside technological advancements to ensure they can deliver quality care while protecting patient data.