Change Healthcare, Kaiser Permanente cyberattacks: A wake-up call for health care

Many health care companies rely on third parties to provide essential digital tools – telehealth platforms, secured file transfer solutions and advertising tools – and these services are prime targets for cyberattacks.

Credit: piter2121/Adobe Stock

The health care sector has seen an onslaught of data breaches in recent years, with more than 700 data breaches involving 500 or more records in each of the past three years. In the first quarter of 2024 alone, the Department of Health and Human Services (HHS) received 212 formal data breach notifications. As HHS aptly suggests, health care organizations are frequently considered “one-stop shops” that contain identity, financial and health information.

Cyberattacks can paralyze an organization’s operations and be tremendously costly and detrimental to patient care. In response, many legislative bodies and regulators have updated laws and issued guidance to better protect sensitive patient information. For example, Congress is considering a bipartisan bill to establish comprehensive data privacy rights and standards for data security, HHS released guidance on cybersecurity actions and plans to propose cybersecurity requirements this spring (through the Centers for Medicare & Medicaid Services (CMS) and the Office for Civil Rights (OCR)), and the Federal Trade Commission (FTC) has updated and is enforcing its Health Breach Notification Rule against digital health companies.

The Kaiser Permanente data breach and the Change Healthcare cyberattack underscore the ever-increasing importance of cybersecurity in health care. This article will provide an overview of the health care sector’s growing cybersecurity risks, best practices for helping prevent or mitigate cyberattacks and best practices for responding to incidents and mitigating health care organizations’ risk of enforcement actions and litigation.

Cybersecurity risks in health care

Given the growing dependence on digital systems and electronic health records (EHRs), health care entities are subject to increasing cybersecurity risks, including the deployment of malware, sophisticated ransomware attacks and more subtle forms of unauthorized access, such as those due to phishing emails or human error.

Furthermore, many health care entities rely on third parties to provide essential digital tools, from telehealth platforms to secured file transfer solutions and advertising tools, and these third-party services can become prime targets for cyberattacks, given their vast customer base and possession of voluminous health data.

Additionally, as the health care industry has experienced a surge in mergers and acquisitions, companies often overlook the potential vulnerabilities resulting from legacy and/or un-integrated IT systems.

It is prudent for entities of all sizes to proactively prepare for cybersecurity threats and implement appropriate incident response plans.

Preparing for cybersecurity threats

Health care entities should not wait for a cyberattack to occur at their organization or for regulatory requirements to further develop before thinking about enhancing their cybersecurity posture. The following practices may help prevent or mitigate cyberattacks and reduce the impact of potential breaches.

Responding to a security incident

Ideally, when a cybersecurity incident occurs, the impacted entity has already established a response plan that it regularly tests, practices and updates. In practice, though, cyberattacks too often affect companies that are unprepared to deal with them. A company that falls victim to a cyberattack should act fast and appropriately to manage the regulatory, legal, reputational and business consequences. Organizations should consider taking proactive measures after a cyberattack, including the following steps to mitigate enforcement and litigation risks.

Looking ahead

Health care organizations will continue to face sophisticated cyber threats, which necessitates both safeguarding systems and staying up to date with the latest regulations. However, comprehensive risk management is critical and goes beyond implementing technical solutions. It also consists of updating policies, training staff, segregating sensitive data, implementing robust contingency plans and conducting proactive security assessments.

Related: UnitedHealth CEO grilled by Senate panel for cybersecurity failings in massive hack

As cyber threats evolve, health care organizations should implement measures to bolster defenses and ensure that if an incident does occur, they are prepared to respond effectively and mitigate potential legal and regulatory exposure, and most importantly protect patients’ data and limit compromising care.

Robert Kantrowitz is a corporate health care partner at Kirkland & Ellis and Sunil Shenoi is a partner in the firm’s Government and Internal Investigations Group. Micah Desaire is a corporate health care associate and Xiaorui Yang is a litigation associate at the firm.