LUGPA Policy Alert:
Cybersecurity Threats in Healthcare on the Rise

March 2024  

Healthcare providers remain prime targets for cybercriminals, with global cyberattacks on healthcare organizations steadily increasing. In 2023 alone, a staggering 133 million individuals fell victim to healthcare data breaches, more than double the previous year's count. The average breach impacts over 200,000 people, highlighting the severity of the situation.

Disturbingly, the number of breached healthcare records skyrocketed by 156% in 2023, totaling 133,068,542 records compromised. Ransomware attacks on hospital systems rose significantly, with 46 systems falling prey in 2023, up from 25 in 2022 and 27 in 2021.

In late February, a cyberattack on Change Healthcare, a technology company acquired by UnitedHealth Group’s Optum division in 2022 , brought its systems to a standstill for over a week, severely impacting healthcare providers and disrupting vital operations. The incident, first reported on February 21, was later identified as a "cybersecurity issue" stemming from an external threat UHC eventually paid the ransom demanded by the hackers to the tune of $22 million.

This breach underscores the critical need to bolster cybersecurity resilience in the healthcare sector. Cyberattacks on insurers create widespread disruptions impacting healthcare. When insurers shut down systems en masse, payments to providers for care are delayed, leading to delays in additional care delivery. Beneficiaries may struggle to access prescription medications and copay assistance. These attacks highlight the interconnectedness of healthcare and the need to address cyber threats for uninterrupted access to essential care.

Financially, healthcare data breaches come at a hefty cost, averaging $10.93 million per incident, surpassing all other industries.

Over the past five years, the HHS Office for Civil Rights noted a staggering 256% increase in large data breaches due to hacking and a 264% surge in ransomware attacks. To combat these threats, healthcare stakeholders must prioritize cybersecurity, as outlined in HHS's cybersecurity strategy. Striking a balance between patient privacy and data sharing is crucial. Policymakers can promote secure data exchange while safeguarding patient privacy through legal compliance, robust data security measures, interoperability, and patient education.

Practices should diligently review their Business Associate Agreements (BAAs) to ascertain the designated party responsible for notifying patients regarding their Protected Health Information (PHI), along with establishing additional processes and safeguards for PHI protection. It is strongly advised to collaborate with your General Counsel to ensure the accuracy and currency of BAAs. Failure to maintain up-to-date agreements exposes practices to heightened risks, underscoring the critical need for timely updates and compliance."

For additional resources on enhancing cybersecurity in healthcare, visit LUGPA’s dedicated page: Improving Cybersecurity for Healthcare Providers.

You can read HHS’s Statement Regarding the Cyberattack on Change Healthcare here. HHS’s guidance on cybersecurity can be found here.

An additional letter from the Medical Group Management Association (MGMA) on the attacks on how to mitigate their impact can be found here.