Strengthening cybersecurity under the HIPAA Privacy Rule

Rising threats, higher stakes: the case for stronger healthcare cybersecurity

Healthcare cyber threats are on the rise. The risks are particularly high in this industry due to sensitive patient data, safety concerns, operational dependence on technology, and the need to comply with regulations such as the HIPAA Privacy Rule, which governs the use and disclosure of protected health information (PHI) and electronic PHI (ePHI). The average costs of a studied breach in healthcare reached nearly $9.77 million in 2024.¹

Healthcare cybersecurity requires a reliable platform backed by deep expertise. To keep your organization secure, start by understanding what’s happening in the world of cybersecurity today.

What is a data breach — and why healthcare is at risk

A data breach occurs when sensitive, protected, or confidential information is accessed, disclosed, or stolen by unauthorized parties—often through cyberattacks like ransomware, phishing, or system vulnerabilities. In healthcare, this often involves exposure of protected health information (PHI), personally identifiable information (PII), and financial data.

In 2024, major breaches at Change Healthcare and Ascension showed that even the most established health systems are vulnerable.

• Change Healthcare suffered a ransomware attack, resulting in significant financial losses due to prolonged operational downtime and reputational damage. The failure to safeguard systems triggered legal scrutiny and potential violations of the HIPAA Privacy Rule.
• Ascension experienced a massive data leak that exposed thousands of patient records, including medical histories and treatment plans. The organization faced HIPAA penalties, high recovery costs, and lasting damage to patient trust.

These incidents reflect a broader trend: healthcare is now the most-targeted industry by ransomware groups, even surpassing financial services and government. Medical data is more valuable than credit card numbers, and cybercriminals know that the risks of downtime in care delivery—such as having to revert to paper transactions, losing access to patient data, and not being able to process transactions efficiently—creates urgent pressure to pay.

Healthcare cybersecurity can't wait

The urgency around cybersecurity threats in healthcare has reached a tipping point. A perfect storm of market disruption, regulatory pressure, and rapid digital expansion is forcing health systems to re-evaluate their risk or face escalating consequences. Here are just a few things to watch:

• Digital acceleration: The shift to virtual care, cloud-based platforms, AI-powered diagnostics, and connected medical devices has increased the digital surface area and with it, the number of entry points for cyberattacks.
• Financial pressure: Operating margins are razor thin. A ransomware attack can cost millions in system downtime, remediation, and legal fees, not to mention revenue loss from delayed care and eroded patient volume.
• Regulatory scrutiny: Agencies are tightening enforcement of data privacy rules under HIPAA and HITECH. Failure to secure electronic protected health information (ePHI) now brings harsher penalties and breach notification requirements, increasing reputational risk.
• Competitive differentiation: As patients become increasingly aware of data privacy, organizations perceived as “cyber-secure” will have a trust advantage in the market. Conversely, a breach can drive patients and employer contracts away.

How to Build a Resilient Cybersecurity Strategy

The first step in enhancing cybersecurity is ensuring it’s a core operational and strategic priority. A few targeted moves can set your organization on the right path:

Cybersecurity is not just an IT issue; it’s a long-term investment in patient trust.

Start with a comprehensive risk assessment.

The HIPAA Privacy Rule requires healthcare organizations to safeguard patient data, limit access to PHI, and notify affected parties in the event of a breach. Compliance reduces regulatory risk but also reinforces trust with patients and partners.

In addition to HIPAA, several key regulatory frameworks shape how healthcare organizations manage cybersecurity. The HITECH Act builds on HIPAA’s standards by requiring stricter breach notification procedures and incentivizing the secure adoption of EHRs. To align with these regulations and improve security readiness, many healthcare providers adopt the NIST Cybersecurity Framework, which offers a structured approach to assessing risk, prioritizing safeguards, and implementing effective security controls across systems and vendors.

Engage cross-functional leaders.

Cybersecurity impacts clinical operations, revenue cycle, legal, and reputation management. From an internal task force that includes stakeholders from compliance, operations, and finance to break down silos.

Invest in employee training and awareness.

A significant percentage of breaches originate from phishing attempts or simple human error, but insider threats — whether intentional or accidental — are also a growing concern. Regular, scenario-based training helps staff recognize suspicious emails, avoid unsafe behaviors, and understand their role in protecting patient data. Many organizations use security awareness platforms like KnowBe4 to deliver ongoing simulations and track progress, creating a culture of accountability that reduces risk across the workforce.

Vet your vendors carefully.

Third-party partners and business associates often handle PHI and connect directly to core systems, making them a frequent target for cyberattacks. As a best practice, consider using a standard security questionnaire or RFP for all vendors to confirm how they protect data, respond to incidents, and meet HIPAA requirements. Setting clear expectations up front and checking in regularly helps ensure a vendor doesn’t become the weak link that puts your patients — and your organization — at risk.

Consider outside support.

If internal resources are limited, partnering with a cybersecurity firm or managed service provider can provide the necessary expertise to detect and respond to threats more quickly.

Cybersecurity is a long-term investment in care and trust

Cybersecurity in healthcare is more crucial than ever, as the sector increasingly adopts digital technologies that both enhance efficiency and expose new vulnerabilities. The Change Healthcare and Ascension attacks of 2024 show that even large, well-established organizations are not immune — a single breach can disrupt operations, expose sensitive data, and severely damage an organization's reputation.

To stay ahead, healthcare providers must go beyond minimum compliance. In addition to regular risk assessments and HIPAA or GDPR alignment, advanced certifications such as HITRUST r2 or SOC 2 Type II provide a higher level of assurance that systems and processes are continuously tested, monitored, and updated against emerging threats. These frameworks validate not just that safeguards exist, but that they are mature, effective, and independently verified.

By investing in advanced security systems, adopting recognized frameworks, and fostering a culture of cybersecurity awareness, organizations can strengthen resilience, reinforce patient trust, and demonstrate accountability to regulators, partners, and the communities they serve.