By Marsha Millonig, B.Pharm., M.B.A

Cybersecurity is a growing concern for both the private and public sectors, especially in healthcare, where data breaches can be even more serious than in other sectors. Why? Healthcare data has high value. Names, dates of birth, and health histories don’t change, in contrast with, for example, financial data, where a person’s passwords, bank account numbers, and other information can all be changed. This high data value is one of the reasons that cybercriminals target the healthcare industry. The healthcare and public health sector has been the most targeted critical infrastructure for the last decade.

• Urgent HIPAA Changes Ahead: Discover how proposed modifications to the HIPAA Security Rule will profoundly reshape compliance for all healthcare entities, including your own.

• Navigate the New Mandates: Get a crucial breakdown of upcoming requirements, from mandatory documentation and risk analyses to strict new rules for ePHI encryption and multifactor authentication.

• Assess the True Impact: Learn why many in the healthcare community are concerned about the "unrealistic" timeframes and estimated costs of complying with these far-reaching security updates.

• An Overview of Enhanced Cybersecurity: Understand the critical steps your organization will need to take, including regular audits, vulnerability scanning, and updated contingency planning.

  ---

When I spoke at the ASAP Annual Conference in January, I highlighted a number of healthcare security breach trends and specific situations. More than 725 data breaches involving more than 500 healthcare records occurred in 2024. That’s up from 199 breaches of more than 500 healthcare records in 2010 — an increase of nearly 75%. Many readers will remember the cyberattack on UnitedHealth Group’s company in February 2024. That attack crippled much of the healthcare industry, including pharmacies, for weeks and months. Ultimately, the company’s CEO would admit that more than one-third of all Americans likely had their healthcare records compromised — 190 million in all. It was the largest data breach in history, eclipsing a 2015 Anthem breach involving 78.8 million healthcare records. Discounting the Change Healthcare breach, around 85 million healthcare records were breached in 2024.

Share

Costs associated with these breaches are high, for both companies and individuals. Victims of medical identity theft incur on average $13,500 to recover from that theft. The healthcare industry faces the highest average cost of data breaches, with an estimated cost of around $10 million per breach. Damage incurred by cybercrime is expected to reach $10.5 trillion by 2025.

Healthcare data breaches happen in numerous ways. In 2024, the most common cause of large healthcare data breaches was hacking and other IT incidents, accounting for 589 data breaches, or 81.2%. The second biggest cause was unauthorized access/disclosure incidents, with 114 incidents reported for the year, or 15.7%. There were 18 loss-and-theft incidents (2.5%) and four improper disposal incidents (0.6%). Trend data below shows the rise in hacking/IT incidents in the past decade.

Network servers were the most common location for breached protected health information, with email account data in second place, with 169 breaches.

Clearly, the rise in the number, extent, and direct and indirect cost impact of healthcare data breaches is of great concern. Safeguarding identifiable protected health information (PHI), both on paper and in electronic forms, is one of the grounding concepts behind the Health Insurance Portability and Accountability Act (HIPAA). In response to these growing concerns and the rise in healthcare data breaches, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to modify the “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information” (ePHI). OCR administers and enforces the security rule. The rule establishes national standards for the protection of individuals’ ePHI by covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and their business associates. The NPRM may be found here:

Read The NPRM Here

The proposed changes to the security rule are far reaching, impacting every entity in healthcare. They create new definitions and added requirements for both covered entities (CEs) and business associates (BAs). The proposed timeframes are considered unrealistic by many in the pharmacy and healthcare community, as are the estimated costs to comply with the recommended changes. Some highlights of the proposal include: