Skip to main content

Resources tagged with:
HIPAA

Securing Health Data in 2025: The Rising Cybersecurity Challenges

January 21, 2025 | In The News, Special Updates

Understanding two U.S. bills introduced aimed at modernizing protections for sensitive health data.

January 20, 2025 – 6 Mins Read

 

Read the full article in Information Security Buzz. Click Here

Since 1996, the Health Insurance Portability and Accountability Act (HIPAA) has been the cornerstone of patient privacy. The act established standards for how healthcare organizations handle and share patient data, creating a framework for ensuring confidentiality. 

But the healthcare landscape has transformed dramatically, and with it, the risks have multiplied. Emerging cyber threats and complex vulnerabilities have exposed critical gaps in HIPAA’s protections. In response, lawmakers are advancing new legislation aimed at fortifying healthcare organizations against the escalating tide of cyberattacks.

Last year, lawmakers introduced two bills – the Healthcare Cybersecurity Act of 2024 and the Health Infrastructure Security and Accountability Act of 2024 (HISAA) – aimed at modernizing protections for sensitive health data. While these measures represent an important step forward, they remain stalled in the legislative process and have yet to become law. 

And, even if they are enacted, the limited scope and enforcement mechanisms outlined in these bills may fall short of addressing the escalating cyber threats plaguing our increasingly digital healthcare system. Without a more comprehensive and aggressive approach, these initiatives risk being seen as symbolic gestures in a fight that demands urgent and decisive action.

Read further to gain a full understanding of both bills, including

  • Protecting non-traditional health data

  • Addressing the challenges

  • Strengthening leadership

  • HIPAA Updates on the Horizon

  • A future of resilience

 

Read the full article here. Click Here

Health-ISAC logo and Dark Reading logo Image of a computer screen with the headline New HIPAA Cybersecurity Rules Pull No Punches

New HIPAA Cybersecurity Rules Pull No Punches

January 17, 2025 | In The News

Healthcare organizations of all shapes and sizes will be held to a stricter standard of cybersecurity starting in 2025 with new proposed rules, but not all have the budget for it.

Since the beginning, HIPAA has always been the best, yet insufficient, regulation dictating cybersecurity for the healthcare industry.

“[There’s] a history of the focus being in the wrong place because of the way HIPAA was laid out in the mid-1990s,” says Errol Weiss, chief information security officer (CISO) of the Healthcare Information Sharing and Analysis Center (Health-ISAC). “At the time, there was this big push to transfer medical and health records to the electronic medium. And with the advent of the HIPAA regulations, it was all about protecting patient privacy but not necessarily securing those records.”

HIPAA’s focus on privacy limited its ability to address more diverse cybersecurity threats in the 2010s, particularly ransomware. Meanwhile, instead of using it as a baseline for developing a robust security posture, organizations tended to treat HIPAA more as a set of boxes to check. “It ended up driving budgets toward compliance and not necessarily security. And in the past five or six years, we’ve seen what happens in an environment that’s not properly secured, not properly tied down, not properly backed up, when they’re hit by ransomware,” Weiss says.

“Even if they’re already following all the NIST controls,” Dispersive’s Pingree estimates, implementing the new HIPAA security rules “could cost as low as $100,000 for a small doctor’s office, or it could be many millions if you’re a big medical group.”

One possible way stretched healthcare organizations might navigate all these new rules and their associated costs is with an outsourced, virtual chief information security officer (vCISO), according to Weiss. Because “it’s not just about buying the technology. It’s also about recruiting and retaining the cybersecurity expertise that you need to run,” he says.

“These organizations don’t know where to start,” he continues. “The cybersecurity market is very confusing. There are a lot of players. There are a lot of solutions. So if you have $100 to spend on cybersecurity, where do you spend that? They need help to be able to figure all of that out. And I think something like a virtual CISO can help implement a strategy, and then be around on a virtual basis — to check in, to be a resource for that organization when they have questions and they need some help. It seems like a decent model for these small rural hospitals that could not necessarily justify or hire a full-time CISO.”

Read the full article in Dark Reading. Click Here

 

This site is registered on Toolset.com as a development site.