Cybersecurity in Healthcare: A New Era of Regulation, Incentives, and Patient Safety

Over the last few years, attacks against the healthcare sector have been severe and widespread, targeting sensitive patient data and critical medical operations.

The 2020 ransomware attack on Universal Health Services, which led to the shutdown of systems across 400 facilities in the U.S., significantly affected patient care and operations. In 2021, Ireland’s Health Service Executive (HSE) faced a ransomware assault that paralyzed IT systems, leading to extensive delays in healthcare delivery and substantial financial losses.

More recently, in early 2024, a ransomware attack on one of the world’s largest health payment processing companies, Change Healthcare, created a massive backlog of unpaid claims and left doctors’ offices and hospitals with major cashflow problems, threatening patients’ access to care. The attack also exposed millions of patient records, sparking a national debate about cybersecurity in healthcare.

These incidents highlighted a harsh reality: cybersecurity in healthcare is no longer just an IT issue; it’s a matter of patient safety. Moreover, with the U.S. Department of Health and Human Services (HHS) rolling out new regulations and incentives as noted below, the landscape is shifting dramatically. These changes aim to enhance cybersecurity practices and will have significant implications for GRC professionals and healthcare entities.

A Comprehensive Strategy for Healthcare Security

The recently debuted HHS strategy is designed to bolster cybersecurity in the healthcare sector. This strategy includes the introduction of Cybersecurity Performance Goals (CPGs), which serve as benchmarks for cybersecurity maturity.

The goals are part of a framework established to bolster the security posture of the Healthcare and Public Health (HPH) sector. These goals are categorized into “essential” and “enhanced” tiers, each serving distinct purposes in strengthening cybersecurity measures. The “essential” goals outline the foundational cybersecurity practices that all HPH organizations should implement to establish a baseline of protection. In contrast, the “enhanced” goals are designed for organizations that have already implemented the essential practices and are looking to strengthen their cybersecurity defenses further.

However, smaller healthcare providers may find the goals burdensome due to limited resources and technical expertise. Implementing all recommended measures requires significant financial investment in technology, training, and personnel, which smaller providers often lack. Moreover, smaller providers may struggle with the complexity of advanced cybersecurity strategies, such as real-time threat monitoring and incident response planning, without specialized knowledge or external support. 

This financial and technical gap raises concerns about their ability to comply effectively with the CPGs, potentially leaving them vulnerable to cyber threats and compromising patient data security.

The Carrot and the Stick: Incentives & Penalties

Recognizing these challenges and encouraging compliance, HHS has proposed an incentive program similar to the Meaningful Use program, which rewards hospitals for adopting electronic health records. Under this new program, hospitals that adopt “enhanced” CPGs could receive financial incentives, making investing in robust cybersecurity measures more attractive.

HHS also plans to establish two critical programs: one to provide upfront investments to high-need healthcare providers, like under-resourced hospitals, to cover the initial costs of implementing the “essential” HPH CPGs, and another to incentivize all hospitals to adopt advanced cybersecurity practices in line with the “enhanced” HPH CPGs.

Additionally, an impending update to the HIPAA Security Rule is set to impose stricter requirements on healthcare organizations. HHS is also committed to increasing fines for HIPAA violations and investing in more thorough investigations and audits. This combination of incentives and penalties aims to drive meaningful change across the healthcare sector, but it also raises questions about the balance between support and enforcement.

Cybersecurity: It’s No Longer Just an IT Problem

Traditionally viewed as a technical concern, cybersecurity is now recognized as integral to patient safety. It must be integrated into overall risk management and patient care strategies. GRC professionals have a vital role in this transition, ensuring that security measures are robust and aligned with patient safety goals and regulatory requirements.

This new healthcare cybersecurity era has also reached the boardroom, where discussions about risk management and reputation are increasingly centered around cybersecurity. As a result, healthcare entities must prioritize cybersecurity as a core element of their strategic planning and operational practices.

Preparing for the New Landscape

To adapt to these regulatory changes and improve cybersecurity practices, healthcare organizations and GRC professionals should take the following steps:

Conduct a Comprehensive Cybersecurity Risk Assessment

Identify potential vulnerabilities and assess the organization’s current cybersecurity posture. This assessment should thoroughly review all digital assets, networks, and systems to uncover weak points. The findings from this assessment should inform the development of a targeted action plan to address identified risks, prioritize remediation efforts, and allocate resources effectively.

Aligned Cybersecurity with the CPGs

Create a comprehensive cybersecurity program that aligns with the CPGs. This program should include detailed policies, procedures, and technical controls designed to protect sensitive data and ensure compliance with regulatory requirements. This should cover everything from access controls and encryption to incident response plans and regular security updates.

Invest in Employee Training and Awareness

Cybersecurity is a collective effort. Investing in regular training and awareness programs for all employees can help mitigate risks associated with human error and improve the organization’s overall security posture. These programs should cover topics such as recognizing phishing attempts, safe data handling practices, and the importance of reporting suspicious activities.

Engage in Regular Cybersecurity Audits

Conducting regular audits can help ensure that cybersecurity efforts are practical and up-to-date. These audits should be thorough and performed by qualified professionals to identify weak spots or areas for improvement and ensure compliance with regulatory standards. Regular audits also allow testing the organization’s incident response capabilities and ensuring all policies and procedures are followed.

Being Informed is the First Defense

The cybersecurity landscape is constantly shifting. Staying informed about new regulations, emerging threats, and best practices is at the heart of maintaining a robust cybersecurity posture. GRC professionals should actively engage with industry groups, attend relevant conferences, and subscribe to cybersecurity updates to stay ahead of the curve.

Keeping abreast of the latest developments helps the organization quickly adapt to new challenges and regulatory requirements.

Taking a Proactive Stance on Cybersecurity

The new healthcare cybersecurity era, marked by stringent regulations, incentives, and penalties, transforms how healthcare organizations approach patient safety and data protection. The introduction of CPGs and the integration of cybersecurity into reimbursement criteria underscore the critical importance of robust cybersecurity practices.

For GRC professionals, this shift presents an opportunity to take a proactive stance on cybersecurity, embracing the changes to improve patient safety and organizational resilience. As healthcare organizations navigate this evolving landscape, they must recognize that cybersecurity is not just an IT issue—it’s a fundamental component of patient care.

The stakes are higher than ever. The question is no longer whether healthcare organizations can afford to invest in cybersecurity but whether they can afford not to. As regulatory pressures and cyber threats continue to rise, the need for a comprehensive, organization-wide approach to cybersecurity has never been more urgent. The future of patient safety depends on it.

Do you want to get tailored advice on complying with the evolving cybersecurity landscape in the healthcare sector? Contact Elevate and schedule a consultation.