Alaap B. Shah, Member of the Firm in the Health Care & Life Sciences practice, in the firm’s Washington, DC, office, was quoted in Fierce Healthcare, in “2024 Outlook: The Cybersecurity Trends Health System Leaders Need to Know,” by Dave Muoio.

Following is an excerpt:

The danger of cybercrime and security breaches looms over the healthcare industry like a slow-moving storm.

As of mid-December, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) had received 541 notices of data breaches affecting more than 500 individuals during 2023. Among these were incidents that compromised the information of millions, or even tens of millions, of individuals, as was the case with this summer’s high-profile breach at HCA Healthcare.

Some attacks forced healthcare providers to adjust their workflows or interrupt services due to lockups of their computer systems. Sixteen-hospital Prospect Medical Holdings, for example, suffered an attack in August that led to certain locations switching over to paper records or suspending several elective and outpatient procedures. Ardent Health Services weathered a ransomware attack on Thanksgiving that ultimately led the 30-hospital system to proactively shut down and suspend all user access to its IT applications, leading to pauses in non-emergency procedures. …

Rising federal and state regulation

The ball is already rolling on new industry requirements surrounding healthcare data security.

Alaap Shah, a member of law firm Epstein Becker Green (not speaking on any entities in particular) told Fierce Healthcare that key policy and regulatory enforcement efforts “will likely emerge” as the result of recent state efforts to ramp up security.

Specifically, he pointed to the California Consumer Protection Act’s rules on conducting risk assessments; rules proposed by New York last month to require certain levels of hospital cybersecurity; and Washington’s My Health My Data Act, which was signed into law in April.

Additional developments will stream out of federal entities as well, from HHS and OCR under HIPAA and the Federal Trade Commission under the Health Breach Notification Rule, Shah said. Further, the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology will continue to follow their mandates to share threat information and other technical assistance.

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.