Patient Data Security Trends for 2024

This month, I wanted to cover trends like Artificial Intelligence, Business Associates, IoT, and Social Engineering that directly affect healthcare companies today and will continue to echo into 2024 and the future. 

Healthcare Remains Top Target of Threat Actors 

Electronic Health Care Records (EHR) remained highly coveted, commanding the highest price on the dark web, causing healthcare entities and business associates to be a prime target for cybercriminals.  The global average cost for a data breach was $4.45 million, and a healthcare breach exceeded $10 million per breach. 

Large breaches increased 60 percent from last year, impacting over 88 million individuals, according to a recent U.S. Department of Health and Human Services Office for Civil Rights (OCR) announcement. 

Adding up the monetary impact and the number of occurrences of breaches to a healthcare entity is a relatively easy metric to research, thanks to media outlets. 

More significant metrics include patient safety risks like disruptions in medical care, delayed critical medical procedures, and canceled medical treatments. Cybercriminals impede patients’ health and degrade a patient’s trust in the healthcare system. 

Patient Intrusion 

Regulated entity websites introduced risks to patient privacy, and the issue has been on the radar of the OCR since 2022. 

Tracking technologies like cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts allow regulated entities to track and analyze patient behaviors on their websites and mobile applications. The information captured may contain sensitive information and be disclosed to tracking technology vendors.

It is important to mention that healthcare entities that use tracking technology on their website enter into a Business Associate Agreement to comply with the Privacy Act. 

Applying quality controls around tools, platforms, and devices will mitigate the risk to patient privacy and safety. Performing data mapping exercises to assess how a regulated entity collects, captures, analyzes, and shares protected health information through tracking tools will protect the patient's privacy and the organization's reputation. 

Compliant Artificial Intelligence (AI) Use 

Artificial intelligence (AI) was introduced in 1950, and 70 years later, it is the key ingredient to adding efficiency to today’s tasks. Developers use it to write, test, and deploy code at a breakneck pace. 

While this is beneficial to meet deadlines, it introduces critical risks if the product is not tested before deployment. 

Your organization must have a policy for using Artificial Intelligence tools, especially when handling intellectual property or patient data. 

Business Associate Risk Management 

Business Associates can be gateways into healthcare networks as they perform business functions involving protected health information. 

Working with Business Associates who are not HIPAA-compliant (do not conduct annual security risk assessments, proactively monitor their network, lack policies and procedures for electronic protected health information) is a huge risk to their healthcare partners. 

Internet of Things (IoT) 

The Internet of Things (IoT) refers to a system of devices and objects, “things,” that contain sensors, software, and the ability to connect to a network.  

Healthcare organizations are filled with IoT devices such as medical equipment, handheld devices, and printers.  Frequent vulnerability scans or, better yet, deploying an MDR (Managed Detection & Response) solution are excellent preventive controls to implement as they allow network security teams to spot intruders trying to gain access through IoT devices. 

Social Engineering 

Social Engineering is when threat actors obtain sensitive information by coercing legitimate users with text messages, emails, telephone calls, and QR codes.  

Recently, AI has been aiding cybercriminals in creating more personalized emails and generating voices to trick individuals into exposing confidential information. 

How to Protect Your Organization: Get Back to the Basics 

Preventive controls in 2024 should be focused on the fundamental HIPAA requirements. There is significant value in going back to the basics. 

This simple yet effective approach removes the complexity of network security by focusing on tasks that will positively impact protecting ePHI.  It helps build a solid foundation for a sustainable security program and fortified network. 

Complete a Security Risk Analysis (SRA) 

This task alone will significantly increase patient safety. An SRA identifies potential network threats and vulnerabilities. 

If a threat actor finds your vulnerabilities first, you could find your organization’s sensitive data on the dark web, receive a ransomware note, and/or pay significant fines to OCR.  

Develop or Revise your HIPAA Policies and Procedures 

Like the SRA, policies and procedures provide effective preventive controls to protect sensitive data and are a requirement under the Security Rule (45 CFR § 164.308) and the Privacy Rule (45 CFR § 164.530). They should be developed and customized to meet the requirements for the type of healthcare service, the size of the entity, and establish a culture of compliance. 

More importantly, they provide effective preventive controls to protect your patients and a resourceful guide to ensure the workforce complies with the requirements and content of your HIPAA training program. 

Policies and procedures should be reviewed regularly and updated at least annually or after a significant event. 

Facilitate Training 

Cybercriminals thrive on human behavior. A lack of patch updates, password requirements, multifactor authentication, and openness to social engineering attacks are some examples of human behaviors that allow threat actors to access protected health information. 

Security training should be customized and specific to your organization, not templates with a basic vague level of detail. 

Customized training will provide information that employees can relate to, allowing them to better understand and adhere to the rules intended to protect patients and the organization. 

Importantly, social engineering training should be updated to include the AI tactics cybercriminals will use, such as smishing (text message), phishing (email), and vishing (voicemail) schemes. Quishing (QR-phishing) tactics should also be included in the social engineering training portion, as the tactic has risen since the COVID-19 pandemic. 

Conclusion 

Patients need to receive healthcare in a confidential, safe, and effective environment. They should receive optimal care without the threat of their confidential information being exploited, their critical procedure being canceled, or having the machine critical to their well-being disconnected. 

Knowing that an electronic healthcare record is worth more than a credit card number or social security number on the Dark Web should motivate healthcare and business associates to practice the fundamentals of completing an SRA, developing effective policies and procedures, and personalized training.