By Jay Trinckes, Data Protection Officer/CISO, Thoropass
LinkedIn: Jay Trinckes
LinkedIn: Thoropass
In recent years, healthcare organizations have struggled to address the rising number of data breaches and cyberattacks plaguing the industry. The Change Healthcare breach in particular caused the exposure of the protected health information (PHI) of as many as one in three Americans earlier this year. While the Health Insurance Portability and Accountability Act (HIPAA) aims to protect such data and prevent these kinds of breaches, enforcement remains incomplete at best.
For example, a recent report found that the Office for Civil Rights (OCR), the primary government body enforcing HIPAA compliance, has focused its audits on just 8 out of the 180 regulatory requirements outlined by HIPAA. These assessments primarily target specific administrative or procedural safeguards, such as risk analysis and management, while leaving other areas – like technical safeguards or comprehensive security controls – largely unexamined. This limited scope significantly reduces the effectiveness of OCR audits in identifying and addressing vulnerabilities, leaving healthcare organizations exposed to cybersecurity risks.
Why OCR audits don’t work
You may be wondering, why do OCR audits only cover eight HIPAA requirements? As it stands today, the OCR simply lacks the resources to audit and enforce HIPAA compliance effectively. With tens of thousands of covered entities in the healthcare ecosystem, the OCR has a monumental task, but its funding and staffing levels have not kept pace with the increasing complexity of cybersecurity threats. This has left the agency overstretched, forcing it to focus on a narrow slice of compliance rather than the broader safeguards healthcare organizations need.
Compounding the issue, many hospitals are still lagging in implementing even the most basic security safeguards outlined by HIPAA. In many cases, this comes down to budget constraints, competing priorities, or a lack of technical expertise within the organization. Smaller hospitals and healthcare providers, in particular, often struggle to allocate the necessary resources for robust cybersecurity measures. Additionally, some organizations operate under the misconception that basic compliance with HIPAA regulations is sufficient to defend against modern cyber threats when these threats require much more comprehensive protections.
Meanwhile, cyber threats grow more sophisticated by the day. Ransomware attacks continue to surge, with attackers often targeting healthcare providers because of the sensitive and valuable nature of the data they hold. These attacks disrupt patient care and can cost millions in recovery expenses. Emerging technologies, such as AI-powered malware, add another layer of complexity, enabling cybercriminals to exploit vulnerabilities more effectively than ever before. These evolving threats capitalize on the enforcement gaps HIPAA was designed to address, exposing hospitals to financial, operational, and reputational harm.
The basics of a strong cybersecurity culture
Before hospitals can collaborate to improve standards across the industry, the work needs to start in-house with the implementation of basic security measures. For example, hospitals should prioritize regular independent security assessments to identify vulnerabilities that OCR audits may miss. There should be comprehensive training for staff, particularly on phishing attacks and other common threats. Also, breaches often happen through external partners, so hospitals should also implement third-party risk management to make sure vendors and contractors meet high-security standards.
Next, hospitals that are implementing new technologies like AI and telehealth must be aware of the potential risks those tools may introduce and the frameworks developed to address those risks. For example, the zero trust architecture cybersecurity model assumes no user or device should be trusted by default, even if it’s inside the network perimeter. Instead, every device and user requires continuous verification and strict access controls to minimize risks.
Hospital cybersecurity teams can also explore how AI can automate various compliance tasks, such as vulnerability scanning and threat detection, to help them stay ahead of emerging risks and keep up with evolving cyber threats.
Making security industry-wide
Strengthening internal security measures is a critical first step, but no single hospital or healthcare organization can tackle the issue of cybersecurity alone. The interconnected nature of the healthcare ecosystem – with patient data flowing between hospitals, vendors, insurers, and other entities – means that vulnerabilities in one organization can ripple across the industry. To truly close the security gaps, hospitals must collaborate and adopt a unified approach to protecting PHI.
First of all, healthcare companies must share information on threats, best practices, and incident response strategies. Hospitals can join healthcare collaboratives such as the Health Information Sharing and Analysis Center (Health-ISAC), which facilitates the sharing of real-time threat intelligence and cybersecurity insights, and the American Hospital Association, which provides additional guidance and resources.
Next, hospitals can drive progress by advocating for stricter and more uniform cybersecurity regulations. Change at the federal level moves at a notoriously slow pace, so healthcare leaders can influence policy more directly through partnerships with state-level legislators or joining initiatives led by organizations like HITRUST. HITRUST is a private organization that develops and maintains the HITRUST CSF. This framework goes beyond HIPAA’s general guidelines and requires rigorous third-party audits to verify compliance.
The HITRUST CSF certification is only one example of several options that could provide a much stronger overall security posture for the healthcare industry, assuming hospitals take the initiative to ensure internal compliance.
The future of HIPAA audits
The OCR’s limited HIPAA auditing process may fall seriously short of protecting healthcare data, but hospitals don’t have to wait for changes at the federal level. Strengthening internal compliance frameworks and fostering industry-wide collaboration can help healthcare organizations close critical security gaps, safeguard patient information, and set a higher standard for the entire sector in the near future.