Alaap B. Shah, Member of the Firm in the Health Care & Life Sciences practice, in the firm’s Washington, DC, office, was quoted in Fierce Healthcare, in “2024 Outlook: The Cybersecurity Trends Health System Leaders Need to Know,” by Dave Muoio.
Following is an excerpt:
The danger of cybercrime and security breaches looms over the healthcare industry like a slow-moving storm.
As of mid-December, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) had received 541 notices of data breaches affecting more than 500 individuals during 2023. Among these were incidents that compromised the information of millions, or even tens of millions, of individuals, as was the case with this summer’s high-profile breach at HCA Healthcare.
Some attacks forced healthcare providers to adjust their workflows or interrupt services due to lockups of their computer systems. Sixteen-hospital Prospect Medical Holdings, for example, suffered an attack in August that led to certain locations switching over to paper records or suspending several elective and outpatient procedures. Ardent Health Services weathered a ransomware attack on Thanksgiving that ultimately led the 30-hospital system to proactively shut down and suspend all user access to its IT applications, leading to pauses in non-emergency procedures. …
Rising federal and state regulation
The ball is already rolling on new industry requirements surrounding healthcare data security.
Alaap Shah, a member of law firm Epstein Becker Green (not speaking on any entities in particular) told Fierce Healthcare that key policy and regulatory enforcement efforts “will likely emerge” as the result of recent state efforts to ramp up security.
Specifically, he pointed to the California Consumer Protection Act’s rules on conducting risk assessments; rules proposed by New York last month to require certain levels of hospital cybersecurity; and Washington’s My Health My Data Act, which was signed into law in April.
Additional developments will stream out of federal entities as well, from HHS and OCR under HIPAA and the Federal Trade Commission under the Health Breach Notification Rule, Shah said. Further, the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology will continue to follow their mandates to share threat information and other technical assistance.