Healthcare Breaches and New Guidance

The HIPAA Security Rule

Per the HHS website ( HIPAA was adopted “to improve the efficiency and effectiveness of the health care system.” Part of the tradeoff for achieving this goal through technology was the adoption of national standards to protect patient information, including privacy and security rules. Compliance with the security rule was required by large entities in 2005 and smaller entities in 2006 (45 CFR Part 160 and Part 164 Subparts A & C). The security rule requirements generally align with established information security frameworks and expectations.

The security rule presents expectations using six classification categories. Security standards include general rules; administrative safeguards; physical safeguards; technical safeguards; organizational requirements; and policies, procedures, and documentation requirements. Each category contains required implementation and addressable implementation practices. Regarding the latter, organizations formally assess (document) the cost-benefits of not implementing the identified practice (control).

Since its issuance, consultants, industry groups, and governmental agencies have provided much-needed security-related guidance. For example, HHS-OCR helped develop a security risk assessment targeting small to midsize organizations. Additional tools from the HHS include educational videos, whitepapers, newsletters, and a listserv. The HHS-OCR website ( also identifies supporting tools from the FTC and the National Institute of Standards and Technology (NIST). The NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems. Its publications provide reputable and reliable security guidance recognized by the security community and used in many professional and industry references.

Why So Many Breaches?

With ample guidance and even some regulatory pressure, many question why the healthcare industry continues to suffer from so many cyberattacks and breaches. Healthcare is subject to the same attacks and threats in many situations as other industries (Stuart Madnick, “Why Data Breaches Spiked in 2023,” Harvard Business Review, Feb. 19, 2024,  Additionally, the Cybersecurity and Infrastructure Agency (CISA) provides resources, including general alerts for the industry and specific alerts for healthcare. The most recent Verizon “2023 Data Breach Investigation Report Healthcare Industry Analysis ( see also the July/August 2023 edition of this column,  identifies the following practices as contributing concerns facing the industry:

• ▪ Misdelivery of information—where sensitive information is delivered to the wrong person (both internally and through the mail)
• ▪ Misuse of privilege—especially disgruntled employees or those snooping for curiosity
• ▪ Collusion—multiple actors working together.

The CISA also identified unique cybersecurity challenges facing the industry ( including the following:

• ▪ COVID-related technology responses. These include enhanced availability, remote service delivery, and purchases that may not have been subjected to traditional controls.
• ▪ Rapidly growing technology landscape. Internet-connected medical devices have been developed and widely deployed without proper privacy and security measures, including the proliferation of unregulated mobile apps that leverage PHI/PII, but do not secure it.
• ▪ Competing operational priorities. Operational needs often prioritize speed and information sharing over information security.
• ▪ Inconsistent cyber hygiene. Stand-alone technologies are digitized and integrated with other systems, creating interoperability dependencies, network segmentation risks, and other cybersecurity challenges. This also considers that legacy systems, no longer supported by their manufacturers, cannot incorporate the latest security updates, thereby introducing permanent vulnerabilities into organizations’ networks.

Others lament the ultimate challenges facing the industry and its risk management professionals; organizations that invest funds in security have fewer funds available for the organization’s mission of saving lives and patient care. This is primarily a challenge for not-for-profit entities. Some are torn between HIPAA’s flexibility to enable organizations to decide amongst risk management strategies as identified by HHS—“Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI [electronic protected health information]” ( the fear of a mandatory, inflexible one-size-fits-all approach to compliance.

HHS Concept Paper

In December 2023, HHS released a concept paper that outlined the department’s cybersecurity strategy for the healthcare industry ( As specified in the paper, actions that HHS intends to take to improve the industry’s cybersecurity posture include the following:

• ▪ Establish voluntary cybersecurity goals for the healthcare sector;
• ▪ Provide resources to incentivize and implement these cyber-security practices;
• ▪ Implement an HHS-wide strategy to support greater enforcement and accountability; and
• ▪ Expand and mature the one-stop shop within HHS for health-care sector cybersecurity.

Some in the healthcare industry remain concerned. Reliance on electronic records has necessitated an increasing reliance on interparty and vendor relationships. Critics believe that a “voluntary” goal can be a double-edged sword; some believe that the flexibility provided is vital, whereas others remain concerned that some organizations could easily justify why they choose not to implement risk mitigation strategies—especially those that may be more effective but more expensive.

NIST Resource Guide

NIST Special Publication 8000-66r2, “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide,” is the 2024 update to NIST’s original guide released in 2008. According to the press release, “this publication, revised in collaboration with the [HHS] Office for Civil Rights, guides regulated entities (i.e., HIPAA-covered entities and business associates) on assessing and managing risks to ePHI, identifies typical activities that a regulated entity might consider implementing as part of an information security program and presents guidance that regulated entities can utilize in whole or in part to help improve their cybersecurity posture and assist with achieving compliance with the HIPAA Security Rule” (

The guide is unique because it provides a central source of guidance and practices that can be easily referenced and should, in many cases, be implemented. Notable contents of the guide include the following:

Risk assessment. Per the standard [164.308(a)(1)(ii)(A)], organizations need to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” Although not necessarily new, some will find the sample assessment tools and threat idea generation helpful.

Risk management. Per the standard [164.308(a)(1)(ii)(B)], organizations need to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with section 164.306(a) (risk assessment required).” This section deals with controls needed to address the threats identified in the risk assessment. Some references to control inventories (e.g., NIST’s Special Publication 800-53) are made, although the section focuses on understanding how risk leads to the decision and strategy of mitigating threats.

Considerations when implementing the HIPAA security rule. This comprises the majority of the publication and provides guidance that practitioners can adapt to their unique environment or client situation. Each standard of the rule has its tables; each table contains relevant key activities, representative controls, and sample questions that can be asked to determine if the standard has been achieved. Although not all controls are identified, the tables provide an excellent start. Omissions are identified so that organizations can assess applicability where necessary. Many smaller organizations could use these tables to begin risk assessments and generate industry benchmark ideas for managing risk.

Other sections of the guide that should be of interest include the following: Appendix C Risk Assessment Tables, another beneficial chapter, especially for those identifying potential threats and risks facing the industry; Appendix E National Online Informative References (OLIR) Program, which is handy for those entities using multiple frameworks or having to satisfy multiple security assessment needs by showing alignments or commonalities between the security standards and recognized frameworks; and Appendix F HIPAA Security Rule Resources, which contains an outstanding list of cybersecurity resources that can be used for all industries.

A Long Journey Ahead

Despite the best intentions, the healthcare industry has a challenging journey ahead. The reality of service delivery requirements limits the opportunity to implement changes rapidly. Unfortunately, the need for precious funds required for patient service will continue to be diverted to help reduce the impact of cyber breaches. As risk mitigation practices mature, the industry must contend with ever-sophisticated attacks. Although complete mitigation may not be possible, reducing risk to acceptable levels may be attainable.