Cyber-attacks on the Rise (Once Again…)

By: Kelli C. Fleming, Esq., Burr & Forman

Cyber-attacks within the healthcare industry are continuing to rise, despite increased awareness, security measures, and training. The attacks are not only becoming more far-reaching, with each attack impacting more and more patient data, but are also more prevalent as well. Threat actors do not discriminate against victims, as we are seeing reports of security breaches against physician practices, rural hospitals, large hospital chains, as well as their business associate vendors and contractors.

At the time of drafting this article, we are only ten days into 2024, and in 2024 thus far, five breach reports have been published by the Office for Civil Rights (“OCR”) for incidents involving more than 500 individuals. The total number of individuals impacted as a result of those five instances is over 585,000. Of those five reports, four of them deal with hacking/IT incidents on a network server. Of the entities reporting, one is a health plan, two are healthcare providers (hospital and long-term care provider), and two are business associates. 

Partly as a result of this rise in cyberattacks against the healthcare industry, the Department of Health and Human Services (“HHS”) recently announced plans to increase federal funding to assist providers with training and implementing cyber-security protections. The plans also include increased fines for facilities that do not have adequate cyber-security measures in place. While the plans are in the early stages, and require additional funding and coordination among government entities, it is encouraging to see the government recognize that additional assistance is needed by the healthcare industry to thwart attacks. Providers are encouraged to monitor any guidance and assistance issued by HHS in this regard. 

In addition, OCR publishes cyber-security guidance as well as a cyber-security quarterly newsletter to help HIPAA-covered entities, including providers, to remain in compliance. The guidance and the quarterly newsletters contain helpful tips on ways to reduce the risk of a security breach. The guidance and newsletters are available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html. Providers are encouraged to review this guidance for helpful information on measures they can implement to reduce the risk of a cyber-attack. 

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the Healthcare Practice Group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.