By Jeff Wardon, Jr., Assistant Editor

Cybersecurity continues to be a forefront issue for healthcare facilities as cyberattacks and data breaches keep ramping up. A survey from Proofpoint and the Ponemon Institute found that 92 percent of healthcare organizations experienced at least one cyberattack in the last 12 months prior to October 2024. 

Certain steps must be taken to safeguard sensitive data that healthcare facilities and organizations keep hold of. 

The U.S. Department of Health and Human Services (HHS) has proposed changes to the HIPAA Security Rule to enhance cybersecurity protections for electronic protected health information (ePHI). These updates aim to address growing cyber threats in healthcare. 

Related: Remote Access Systems Pose Cybersecurity Risk

Key proposed changes include: 

• Making all security requirements mandatory, with few exceptions. 
• Requiring detailed documentation of security policies and risk analyses. 
• Updating standards to reflect modern technology and terminology. 
• Introducing specific deadlines for compliance with requirements. 
• Mandating asset inventories, network mapping and encryption of ePHI. 
• Strengthening incident response, contingency planning and system restoration timelines. 
• Requiring regular vulnerability scans, penetration testing and multi-factor authentication. 
• Enhancing oversight by conducting annual audits and ensuring business associates meet security standards. 

With cyberattacks becoming increasingly common, mounting a defense against them to protect sensitive data becomes equally as critical. Cloudely recommends the following for ongoing compliance and data security: 

• Healthcare organizations must develop robust data governance structures which outline effective data asset management. This means the data is cared for professionally from beginning to end, covering data collection, storage, processing and sharing. 
• The healthcare workforce needs to understand their responsibility to safeguard data while being trained and educated about phishing attacks, protecting passwords and properly disclosing sensitive information. 
• Protocols for safeguarding data need to encrypt information at rest and in motion-controlled accessibility, meaning only authorized individuals can have access to sensitive materials and secured messaging. 
• Routine security audits and risk assessments need to identify vulnerabilities or gaps in defenses before they are exploited. In addition, patient data must be backed up as well. 
• Plans and tests need to be in place for data breaches so that they are addressed accordingly. Also, tight access controls need to be implemented so any unpermitted access to sensitive information is limited. 

Jeff Wardon, Jr., is the assistant editor for the facilities market.