The federal government wants healthcare organizations to better protect the massive amounts of sensitive health information they hold as the industry continues to come under attack by cyberthreat groups.
The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is proposing an overhaul of the security rule in the almost 30-year-old HIPAA to require healthcare providers and their associates, health insurance companies, and healthcare clearinghouses – which enable the exchange of healthcare data between providers and payers – to adopt such security practices as regular testing of processes and multifactor authentication (MFA) and encryption for electronic health records.
The proposed changes, which are due to be published next week, will help the healthcare industry combat the crippling cyberattacks it’s suffered in recent years and will open up more opportunities for MSSPs that can help organizations navigate the increasingly complex regulatory process and protect against the growing number and sophistication of cyberthreats.
“Cyberattacks continue to impact the healthcare sector, with rampant escalation in ransomware and hacking causing significant increases in the number of large breaches reported to OCR annually,” OCR Director Melanie Fontes Rainer said in a statement, adding that with such major attacks like the one on UnitedHealth Group’s Change Healthcare subsidiary last year, the number of people affected by breaches will grow. “This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats.”
According to the OCR, reports of large breaches of healthcare organizations jumped 102% between 2018 and 2023, and the number of people affected rose 1,002% as ransomware and hacking attacks increased by 102% and 89%, respectively.
Improving the industry's cybersecurity has been an ongoing focus by the government. In November 2024, in the wake of the ransomware attack on Change, four U.S. senators introduced a bipartisan bill aimed at providing grants to help healthcare organizations enhance training and other security measures.
Rising Cyberthreats to Healthcare
In a report in October 2024, Microsoft’s threat intelligence group wrote that until 2020, many threat groups wouldn’t attack certain organizations, including hospitals and schools. Such self-imposed restrictions no longer exist, and healthcare organizations now rank high on the list of targets, a trend that likely will continue in 2025. This is especially true since financial firms, which have long been targeted by cybercriminals, have improved their protections.
“Healthcare organizations collect and store extremely sensitive data, which likely contributes to threat actors targeting them in ransomware attacks,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, wrote in a blog post. “However, a more significant reason these facilities are at risk is the potential for huge financial payouts.”
DeGrippo also noted that healthcare facilities have limited security resources and cybersecurity investments compared to other sectors. They often lack dedicated security staff, CISOs, or security operations centers (SOCs).
“Instead, their IT department may be tasked with managing cybersecurity,” she wrote. “Doctors, nurses, and healthcare staff may not have received any cybersecurity training or know the signs to look for to identify a phishing email.”
Turning to MSSPs
The increasing threat landscape and added security requirements – the proposed HIPAA changes would ramp this up – are why healthcare organizations are turning to MSSPs, according to Mike Gregory, CISO at CDW, and Matt Sickles, an executive healthcare strategist at the VAR’s healthcare unit. Grand View Research analysts said that in 2022, the healthcare sector accounted for 14.6% of the overall $27.2 billion managed security services market, behind only banking, financial services, and insurance (BFSI).
“As the risk surface expands, the potential for more breaches also increases,” Gregory and Sickles wrote in a blog post last year. “And, compared to other industries, the number of employees dedicated to healthcare security is critically low. Without the budget to hire additional staff in security, healthcare organizations are forced to stretch their already thin IT teams even further.”
Healthcare organizations can use MSSPs to replace their IT environment, fill the gaps as extensions of the IT staff, or provide managed detection and response (MDR) services, they wrote.
Support from Cybersecurity Industry
The proposed HIPAA security requirements, which could push more organizations to MSSPs, are getting support from cybersecurity pros, with Ted Miracco, CEO of mobile app security firm Approov, calling them an “overdue response to the escalating cybersecurity attacks on the healthcare sector” and adding that “enforcing stricter security measures such as encryption, MFA, attestation, and network segmentation is a strong start as HHS aims to enhance the protection of patient data significantly.”
Lawrence Pingree, vice president at cybersecurity vendor Dispersive, applauded HHS’ push to change what have been security recommendations into requirements.
“It's now bringing more specific controls around multi-factor authentication and data protection strategies,” Pingree said. “In security, the more prescriptive the controls, the better, since this reduces the variance of approaches that might not adequately address current threats.”
