LUGPA Policy Update: Cybersecurity in Healthcare – A Call to ActionOct. 2024 One of the most significant recent breaches in 2023 involved Medicare beneficiaries. More than 900,000 individuals were notified that their personal data—including Medicare claims information, Social Security numbers, and personally identifiable information (PII)—may have been compromised due to a vulnerability in the MOVEit file transfer service. The breach occurred between May 27 and May 31, 2023, when unauthorized third parties accessed sensitive data from the Wisconsin Physicians Service Insurance Corporation (WPS), a Centers for Medicare & Medicaid Services (CMS) contractor. This incident highlights healthcare’s digital infrastructure vulnerabilities and the need for enhanced cybersecurity to prevent future breaches. The financial toll of these breaches is staggering. Cybersecurity firm Emsisoft estimated the cost of the MOVEit breach to exceed $15 billion, factoring in the economic risks, potential identity theft, and fraud exposure. CMS and WPS took immediate steps to mitigate the damage, offering credit monitoring and advising affected individuals on protective measures. However, this breach serves as a stark reminder of the increasingly sophisticated nature of cyberattacks in healthcare. Ransomware is another major concern, with 46 healthcare systems targeted in 2023, compared to 25 in 2022. These attacks disrupt patient care and lead to long-term financial and reputational harm. The healthcare sector has been particularly vulnerable, with breaches costing an average of $10.93 million per incident—far exceeding the financial damage seen in other industries. Given these rising threats, healthcare providers must prioritize cybersecurity. Key steps include:
The Department of Health and Human Services (HHS) reports a 256% rise in large healthcare data breaches over the past five years, with a 264% increase in ransomware attacks. To safeguard patient data, healthcare organizations must proactively strengthen their cybersecurity defenses, invest in advanced technologies, and foster a culture of cybersecurity awareness. On September 26, Senators Ron Wyden (D-OR) and Mark Warner (D-VA) introduced the Health Infrastructure Security and Accountability Act to strengthen cybersecurity across the U.S. healthcare system. The bill mandates that the Department of Health and Human Services (HHS) enforce stricter cybersecurity standards for healthcare providers and related entities, with stronger rules for critical organizations. It removes the cap on HIPAA fines to deter large corporations from neglecting cybersecurity and allocates $800 million for safety-net hospitals and $500 million to help other hospitals improve their defenses. In response to recent cyberattacks like the one on Change Healthcare, which compromised patient data and disrupted care, the bill requires mandatory annual cybersecurity audits and stress tests for healthcare entities. It also authorizes HHS to audit 20 companies annually and imposes fines for non-compliance. The act establishes user fees to support oversight and allows HHS to provide advanced Medicare payments during cyber disruptions. Critics warn that these measures could disproportionately impact small and underfunded healthcare facilities. A one-page summary of the bill can be found here. The legislative text can be found here. For additional resources on enhancing cybersecurity in healthcare, visit LUGPA’s dedicated page: Improving Cybersecurity for Healthcare Providers.
|
Announcements
2024 Annual Meeting Recap
Read all about the meeting and see the photos!
LUGPA Launches Training Course for Medical Assistants
Learn how to have your facility become a SRC/NAFC Center of Excellence In Continence Care for Women.
LUGPA groups will receive a discount on certification fees.
LUGPA members can login to access past content On Demand.