Why provider accountability strengthens healthcare security

Healthcare systems rely on digital tools—from electronic health records and telemedicine to connected diagnostic equipment. This shift has improved access to care and made coordination among providers easier, but it’s also opened the door to new cybersecurity risks.

According to the 2024 report Cyber Analytics: Modeling the Factors Behind Healthcare Data Breaches for Smarter Security Solutions, the number of individuals affected by healthcare data breaches in the United States rose sharply between 2022 and 2023 from 29.7 billion to 106.6 billion records. The authors indicated that network server and email system hacking and IT-based attacks were the most frequent types of incidents.

The study is consistent with the increasing scope of cybersecurity threats across healthcare and makes reference to a systemic issue: responsibility for data protection is scattered among multiple entities, making it more convenient to bypass and harder to be held accountable for.

Awareness of the scale of the problem

Health data breaches are not new, but their frequency and severity have accelerated. Over 94% of all compromised records from 2021 to 2023 were caused by hacking and IT incidents. Unauthorized access and disclosure came next as the most common cause. Other forms of breaches, such as theft, loss, or unauthorized disposal of physical media, were comparatively uncommon.

The data further reveals the nature of the attacks, changing from hardware-based theft to electronic intrusion. Network server breaches saw 582 breaches with approximately 138 million records exposed, while email breaches affected more than three million users. The figures reveal that the attacks primarily suggest system-level weaknesses rather than taking on individual devices.

Cybersecurity incidents have a cascading impact. In addition to the immediate data exposure, they can interrupt clinical operations, delay patient care, and undermine public trust in the healthcare system.

Go deeper: Consequences of a security breach

Where accountability breaks down

The study categorizes entities impacted into four main categories: 

• Healthcare providers
• Business associates
• Health plans
• Healthcare clearinghouses

Those most affected were linked to business associates, accounting for approximately 73 million people, followed by healthcare providers (51 million) and health plans (16 million). This setup emphasizes the challenges of security management on a decentralized network. 

Business associates, like billing firms, cloud storage organizations, and information technology vendors, usually handle large volumes of protected health information (PHI) but are subject to varying levels of regulation. 

While HIPAA does require these entities to sign business associate agreements (BAAs) with covered entities, there is nevertheless inconsistent compliance auditing, and noncompliance fines are relatively rare.

As a result of this structure, a single weak link in the chain can endanger millions of patient records. The researchers state that health care data breaches are "concentrated in specific entities, states, and quarters," which reflects the absence of even security readiness in the industry.

Regional and temporal trends

The report also uncovers geographic and seasonal trends. The worst-affected states were Colorado, Nevada, and Kentucky, each of which experienced millions of compromised records in 2023. While the reasons for such state-level differences are complex, factors such as healthcare organization density, size of networked infrastructure, and local IT spend variations could be the culprits.

Seasonal data also indicate that the fourth quarter of the year, or November and December, is also most likely to see the highest number of breaches. This, the researchers say, is shown as evidence of potential "seasonality or periodicity" of the attack pattern. Phases of high-level administrative activity, such as the close of the fiscal year reporting or staff transitions, may coincide with higher susceptibility to phishing and ransomware attacks.

Knowledge of these trends over time could help organizations plan for particular cybersecurity strengthening in high-risk months.

How ransomware threatens care

The most dire of threats the research has uncovered is ransomware attacks, particularly RYUK and Trickbot malware-based ones.

In 2020, the RYUK ransomware group infected more than 400 U.S. healthcare organizations and threatened to pay an estimated $61 million in ransom to decrypt data. Trickbot, operated by the "Wizard Spider" operator group, gained access to hospital networks via phishing emails and software vulnerabilities. Once inside systems, malware spreads laterally across connected systems, interfering with patient databases and hindering medical procedures.

These incidents demonstrate that healthcare cybersecurity breaches are not simply privacy issues but also patient safety issues. When electronic records cannot be accessed or have been compromised, hospitals can lose access to tools for clinical decision-making, like treatment histories, laboratory tests, and imaging studies.

Legacy systems and resource constraints

The abovementioned research study states that many healthcare facilities continue to depend on legacy systems and antiquated infrastructure that may lack comprehensive cybersecurity protections." Legacy systems, generally not up to date on newer security protocols, contain ongoing vulnerabilities that are used by hackers.

IT infrastructure upgrades are a costly undertaking, especially for small and rural hospitals. Limited budgets, staffing deficiencies, and competing clinical priorities often impede cybersecurity enhancements. Otherwise, though, if these investments are not made, healthcare organizations are at risk for an attack that may ultimately cost much more in terms of recovery, legal liability, and reputation loss.

Read also: How legacy systems disrupt patient care

The human factor

As much as technology is the source of the problem, human behavior continues to be one of the most common reasons for violations. Insider risk and human mistake are the authors' largest contributory components, from misconfigured servers to inadvertently emailing disclosures. Phishing and social engineering remain the favorite entry points of attackers.

Mitigating these threats requires constant employee education and a change in organizational culture. More specifically, healthcare organizations need to design regular and comprehensive staff training programs to raise awareness about phishing attacks, social engineering tactics, and best practices regarding how to secure sensitive information.

Regular simulation training and response exercises that are on the same footing as clinical safety processes can promote good cybersecurity practices and clarify roles during an attack.

The policy environment

Policy frameworks such as HIPAA provide standard national standards for the protection of PHI. The Office for Civil Rights (OCR) monitors compliance, conducts investigations into breaches, and imposes sanctions when organizations fall below security standards.

However, the cyber analytics report shows that regulatory enforcement alone has not kept pace with the scale or technical expertise of cyber threats. The researchers argue that healthcare organizations need to "develop and regularly update incident response plans to ensure a swift and effective response in the event of a cybersecurity breach," and incorporate explicit communication planning to minimize harm when breaches occur.

Covered entities must try the following policy options to increase accountability:

• Expanded and open auditing of covered entities and business partners.
• Publicly disclosed reports not just report the breach occurrences but also the remedial actions taken.
• Supporting proactive security investments, e.g., through cybersecurity performance metrics tied to reimbursement programs or accreditation regulations.

These measures would place cybersecurity responsibility within current quality and safety frameworks already used in healthcare.

Boosting prevention with cyber analytics

The study assumes that cyber analytics can simulate the causes of data breaches, providing a proactive framework for managing risk. Through examination of vast databases from HHS and other agencies, health organizations can uncover patterns over time, geography, and system type.

For instance, predictive analytics can identify hospitals that have similar vulnerability profiles to those of past breach targets and thus direct support before a breach. Machine learning solutions can also spot anomalies within network traffic, notifying administrators of potential intrusions.

As the authors explain, "cyber analytics analyzes historical and real-time data to identify not only familiar cyber dangers but also emerging and changing methods of assault." Implementing such systems requires harmonization among IT departments, clinical leadership, and regulators to translate analysis into actionable policy.

Rebuilding patient trust

Besides technical solutions, sustaining public trust is an important element of accountability. Transgressions may erode trust in healthcare organizations, divert data exchange, and affect involvement in e-health activities like telemedicine and patient portals.

The study notes that the “compromise of patient privacy undermines confidence in the healthcare system.” So, to regain confidence, organizations must have open communication policies following a breach, including prompt notices, unequivocal explanations, and specific descriptions of corrective measures.

Public education campaigns can also educate patients about their HIPAA rights and how they can protect themselves against potential identity theft or insurance misuse.

Moving toward shared accountability

The interconnectivity of the healthcare system among providers, insurers, vendors, and the government requires a coordinated reaction.

Therefore, “continuous efforts to enhance cybersecurity frameworks are deemed critical to safeguard sensitive healthcare data and protect individuals' privacy.” Achieving this requires coordinated investment, standardized practices, and shared accountability frameworks.

Industry organizations can develop voluntary reporting mechanisms similar to patient safety collaboratives, in which institutions can exchange details of near misses and insights derived from cyber-attacks. These information-exchange programs can supplement current HHS and OCR efforts, building industry-wide resilience with lesser reliance on punitive enforcement.

Improving accountability will depend on a series of specific measures like open disclosure, standardized regulatory oversight, investments in infrastructure, and continued employee training. Cyber analytics included in regular security management can predict threats and guide preventive action.

Learn more: Why HIPAA compliance pays off

FAQs

Which parts of healthcare systems are most vulnerable to cyberattacks?

Network servers and email systems are the most common entry points for cyberattacks. The abovementioned research shows that network servers were involved in 582 breach incidents, exposing millions of patient records, while email-related breaches affected more than 3 million individuals. 

These findings suggest that attackers primarily exploit centralized systems that store or transmit large volumes of protected health information (PHI).

How do healthcare data breaches affect patients?

Patients may face identity theft, insurance fraud, and exposure of sensitive health details. Breaches can also delay treatment, reduce trust in healthcare providers, and create financial or emotional harm.

Why do business associates account for so many large-scale breaches?

Business associates often manage sensitive information for multiple healthcare clients, but may not apply uniform security controls across all systems. Inconsistent oversight, reliance on outdated infrastructure, and weak enforcement of business associate agreements (BAAs) can leave these partners exposed to attack. 

Since one compromised vendor can affect several covered entities, breaches involving business associates tend to impact a large number of individuals.