Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) has been the cornerstone of patient privacy. The act established standards for how healthcare organizations handle and share patient data, creating a framework for ensuring confidentiality.
But the healthcare landscape has transformed dramatically, and with it, the risks have multiplied. Emerging cyber threats and complex vulnerabilities have exposed critical gaps in HIPAA’s protections. In response, lawmakers are advancing new legislation aimed at fortifying healthcare organizations against the escalating tide of cyberattacks.
Last year, lawmakers introduced two bills – the Healthcare Cybersecurity Act of 2024 and the Health Infrastructure Security and Accountability Act of 2024 (HISAA) – aimed at modernizing protections for sensitive health data. While these measures represent an important step forward, they remain stalled in the legislative process and have yet to become law.
And, even if they are enacted, the limited scope and enforcement mechanisms outlined in these bills may fall short of addressing the escalating cyber threats plaguing our increasingly digital healthcare system. Without a more comprehensive and aggressive approach, these initiatives risk being seen as symbolic gestures in a fight that demands urgent and decisive action.
The proposed legislation
The Healthcare Cybersecurity Act of 2024 and the Health Infrastructure Security and Accountability Act of 2024 (HISAA) tackle healthcare cybersecurity from two distinct but complementary angles.
The Healthcare Cybersecurity Act focuses on collaboration and resource sharing. It aims to bridge gaps between healthcare organizations and federal agencies, particularly the Cybersecurity and Infrastructure Security Agency (CISA). By fostering these partnerships, the Act seeks to equip healthcare providers with essential cybersecurity tools, resources, and training. It also emphasizes developing standardized frameworks to ensure a consistent approach to identifying and addressing cyber threats across the sector.
In contrast, HISAA targets the technical infrastructure of healthcare organizations. This bill prioritizes funding to modernize outdated systems, attempting to ensure that healthcare facilities – particularly smaller or underfunded ones – can adopt technologies that are secure by design.
HISAA also introduces accountability benchmarks, holding organizations responsible for breaches caused by preventable vulnerabilities, thereby encouraging proactive measures to address risks before they escalate.
Together, these bills aim to build a stronger foundation for healthcare cybersecurity. However, their effectiveness will depend on whether they are enacted and how healthcare organizations integrate them into broader, proactive strategies.
Protecting non-traditional health data
While the proposed bills aim to strengthen cybersecurity in traditional healthcare settings, they largely overlook a critical and growing area of vulnerability: non-traditional health data. The proliferation of consumer health technologies – like fitness trackers, mobile health apps, and telemedicine platforms – has created new risks that fall outside the protections of HIPAA and the scope of the proposed legislation.
Non-traditional health-related data, often stored by third-party tech companies, lacks the rigorous safeguards required for data maintained by healthcare providers. Unlike electronic health records (EHRs), which are subject to strict regulatory oversight, consumer health data remains largely unregulated, making it an attractive target for cyberattacks. Hackers exploit these gaps, breaching platforms that store sensitive personal insights such as activity levels, sleep patterns, and mental health metrics, often without basic protections like encryption.
Addressing the challenges
To address these challenges, policymakers should extend existing healthcare privacy regulations to encompass consumer health data. This would ensure that all health-related information, whether generated by a healthcare provider or collected through consumer devices, meets rigorous privacy and security standards. Additionally, healthcare organizations must work alongside tech companies to establish clear data protection protocols that address the distinct challenges posed by non-traditional health data, such as the need for integration across different platforms while maintaining security.
Partnerships between tech companies and healthcare providers are also crucial for creating secure data-sharing frameworks. These frameworks would define how data is collected, transmitted, and stored to ensure it can be safely used in clinical settings without compromising patient privacy. By setting clear standards for encryption, authentication, and access control, secure frameworks can protect sensitive information while enabling its practical use in healthcare.
Encouraging the adoption of interoperable health devices and apps that align with these standards is another critical step toward reducing the risks associated with non-traditional health data, helping to build a safer and more cohesive healthcare ecosystem for patients and providers alike.
Strengthening leadership
Effective leadership is the cornerstone of a resilient healthcare cybersecurity strategy. Chief information security officers (CISOs) play a pivotal role in designing and implementing strategies to safeguard sensitive data and mitigate risks. Their responsibilities are particularly critical in rural and low-income healthcare facilities, which often face considerable resource constraints compared to larger organizations.
In rural settings, CISOs must prioritize and allocate resources strategically. For instance, they would be able to use funding from the Health Infrastructure Security and Accountability Act (HISAA) to invest in hiring experienced cyber security staff and to upgrade essential security infrastructure . CISOs can also lead staff education programs, teaching employees how to recognize threats and follow data protection protocols.
Additionally, CISOs can enhance their efforts by collaborating with information sharing and analysis centers (ISACs). Through these partnerships, healthcare organizations can exchange threat intelligence and learn about best practices to strengthen their defenses in a secure and trusted environment. For smaller facilities with limited in-house expertise, these collaborations provide critical insights into emerging risks and effective countermeasures.
HIPAA Updates on the Horizon
On December 24, 2024, HHS announced a Notice of Proposed Rulemaking (NPRM) to update HIPAA, including updating standards to cybersecurity requirements in order to address today’s cybersecurity threats. The proposed requirements include technology asset inventories, enhanced risk assessments, contingency planning, compliance audits, encryption of electronic PHI at rest and in transit, use of multifactor authentication, vulnerability scanning, network segmentation, backup and recovery processes, and more.
The public comment period will run through the end of February 2025 and any updates to HIPAA are certainly a ways off. Still, these proposed new requirements are certainly a step in the right direction to help improve cyber security at healthcare providers.
A future of resilience
The Healthcare Cybersecurity Act of 2024 and HISAA offer a strong starting point for addressing the vulnerabilities of the healthcare sector. Yet, as cyber threats evolve, so must the industry’s approach to security.
By embracing the spirit of these legislative measures and supplementing them with proactive strategies – such as securing non-traditional data and investing in leadership and collaboration – healthcare organizations can build a system that not only complies with the law but also ensures resilience against the next generation of cyber threats.
In this new year, the path forward isn’t just about meeting compliance standards; it’s about creating a healthcare ecosystem that is secure, innovative, and prepared to protect patients in every sense.
Errol Weiss, Health-ISAC Chief Security Officer, has over 25 years of experience in Information Security beginning his career with the National Security Agency. He created and ran Citigroup’s Cyber Intelligence Center and was a Senior Vice President Executive with Bank of America’s Global Information Security team.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.