Overview
Entities covered by the Health Insurance Portability and Accountability Act are often targets of cybersecurity attacks. The Department of Health and Human Services Office for Civil Rights reported that from 2019 to 2023, breach reports affecting over 500 individuals involving hacking have increased by 89 percent and those involving ransomware have increased 102 percent. In February 2024, the National Institute of Standards and Technology (NIST) released a comprehensive cybersecurity resource guide on implementing the Security Rule along with a list of cybersecurity resources for HIPAA-regulated entities.
Each October, the federal government recognizes Cybersecurity Awareness Month — observed annually since 2004. Entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are often targets of cybersecurity attacks; the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reported that from 2019 to 2023, breach reports affecting over 500 individuals involving hacking have increased by 89 percent and those involving ransomware (when malicious actors use a form of malware that encrypts files on a device and demand ransom for decryption) have increased 102 percent.
Artificial intelligence has increased the effectiveness of phishing attacks (the use of harmful links or attachments that appear trustworthy in order to request personal information or infect devices), presenting new threats to health care and public health entities. The privacy and security of health information is paramount at a time in which the American Medical Association (AMA) reported nearly 75 percent of people are concerned about protecting the privacy of their health data and 59 percent of patients worry about discrimination based on their health data.
For example, two-thirds of transgender individuals reported being extremely concerned about their health data negatively impacting their employment status, patients expressed concerns with health data being used against them in immigration proceedings, and over one-half of those surveyed by the AMA reported concerns related to employment, health insurance coverage, or access to health care. Protecting the privacy and security of individual health data is of critical importance to promote non-discrimination and health equity.
The HIPAA Security Rule establishes for covered entities the minimum level of administrative, physical, and technical safeguards required to protect electronic health information. In February 2024, the National Institute of Standards and Technology (NIST) released a comprehensive cybersecurity resource guide on implementing the Security Rule along with a list of cybersecurity resources for HIPAA-regulated entities. OCR developed a video presentation on recognized security practices and has published resources to assist covered entities with implementation of the Security Rule standards. In addition, OCR released a video on how the Security Rule can protect covered entities from cyberattacks and provides cybersecurity guidance materials.
Additional Cybersecurity Resources
- In September 2023, OCR and the Office of the National Coordinator for Health Information Technology released an updated Security Risk Assessment Tool to assist covered entities in conducting a security risk assessment as required by the Security Rule. For more information, the Network published a post about the tool, available here.
- In late October 2024, HHS and NIST hosted a conference titled “Safeguarding Health Information: Building Assurance Through HIPAA Security 2024.” Presentation materials are available online.
- The Cybersecurity & Infrastructure Security Agency (CISA), part of the Department of Homeland Security, published a toolkit for Cybersecurity Awareness Month.
- OCR provides current information and announcements through its Security List Serv including a quarterly Cyber Awareness Newsletter.
- Resources focused on public health include:
If you are a privacy officer seeking additional resources and support, please contact us about joining the Network’s Privacy Officer Peer Group.
This post was written by Susan Fleurant, Staff Attorney, Network for Public Health Law — Mid-States Region.
The Network promotes public health and health equity through non-partisan educational resources and technical assistance. These materials provided are provided solely for educational purposes and do not constitute legal advice. The Network’s provision of these materials does not create an attorney-client relationship with you or any other person and is subject to the Network’s Disclaimer.
Support for the Network is provided by the Robert Wood Johnson Foundation (RWJF). The views expressed in this post do not represent the views of (and should not be attributed to) RWJF.