Cyber Investigations in the Healthcare Sector

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


In February 2014, an advanced persistent threat (APT) actor based in China used a phishing scam to hack the computer of an employee at Anthem, Inc, one of the largest health insurance providers in the United States. During the next year, the APT actor obtained access to at least 90 systems within the company’s IT infrastructure, compromising the data of approximately 78.8 million patients nationwide. The ramifications of the breach – the largest of 2015 and still the largest healthcare sector data breach in US history – were costly, extensive and prolonged: a US$115 million class-action settlement with individuals whose protected health information (PHI) was compromised; a US$16 million settlement and corrective action plan imposed by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the federal agency tasked with enforcing the Health Insurance Portability and Accountability Act (HIPAA); and a US$39.5 million global settlement of data breach, identity theft and consumer protection claims with 44 state attorneys general. The Anthem breach starkly illustrates the layered liability exposure that a cybersecurity event can create for participants in the healthcare industry.

Healthcare is one of the most heavily regulated sectors of the US economy and the data protection regulations that apply to healthcare entities at the state and federal levels are extensive. This chapter begins by exploring this complex regulatory framework and analyses key cybersecurity standards required by HIPAA (the primary federal statute governing the protection of PHI) and related authorities. The chapter then examines major cybersecurity threat vectors for the healthcare industry and concludes with a discussion of best practices to manage the risk of cyber intrusions.

Key cybersecurity standards for healthcare entities

The primary statutory and regulatory framework governing individually identifiable health information of US healthcare providers is the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, and their implementing regulations found at Title 45 of the Code of Federal Regulations, Parts 160 and 164 (collectively, HIPAA).[2] The regulations implementing HIPAA are in three sections: (1) Security Standards for the Protection of Electronic Protected Health Information (the Security Rule); (2) Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule); and (3) the Breach Notification Rule. Although the focus of this chapter is electronic health information (EHI), it is important to note that HIPAA applies to all PHI, whether in paper or electronic format.

HIPAA applies to ‘covered entities’ – health plans, healthcare clearing houses and healthcare providers that transmit health information in electronic form in connection with certain financial or administrative transactions outlined in the regulations.[3] In 2009, as part of the HITECH Act, HIPAA’s Privacy and Security Rules were extended to include direct liability for certain entities that contract with healthcare providers, which HIPAA defines as ‘business associates’, expanding OCR’s enforcement jurisdiction and bolstering protections for providers that previously were only contractual in nature.[4] Business associates are persons or entities, other than members of a covered entity’s workforce, that perform certain functions or activities involving the use or disclosure of PHI for or on behalf of a covered entity. These activities include, for example, revenue cycle management, legal representation and other professional consulting, health information technology services, utilisation management, and health benefits or health plan administration. The definitions of ‘business associate’ and ‘covered entity’ are not mutually exclusive: a covered entity can also be a business associate of another covered entity, and it is important for covered entities to recognise arrangements in which they are acting as a business associate.

For violations of HIPAA, the OCR may impose civil monetary penalties of between US$100 and more than US$50,000 per violation, not to exceed US$1.5 million for identical violations in a calendar year. Factors determining the amount per violation include whether the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that it violated HIPAA; whether the violation was due to reasonable cause or wilful neglect; and whether the entity corrected the violation within 30 days of when it knew, or by exercising reasonable diligence, would have known that the violation occurred.[5] Potential fines and settlements with OCR can be costly, and OCR’s website is replete with examples of recent enforcement actions and multimillion-dollar settlements involving breaches concerning a failure to apply appropriate administrative, physical and technical safeguards in accordance with the Security Rule.[6] HIPAA does not grant a private right of action to individuals affected by a violation, but the HITECH Act gave state attorneys general the authority to bring civil actions on behalf of state residents affected by a HIPAA violation.

HIPAA’s Security Rule

The adoption of technologies that enhance the mobility and efficiency of the healthcare workforce and give patients enhanced access to their medical records, such as electronic health records, electronic claims management and web-based applications, have increased security risks for covered entities, business associates and the patients they serve. HIPAA’s Security Rule establishes the framework for health information security, outlining the security standards to be followed by covered entities and their business associates to safeguard EHI, protect against reasonably anticipated security threats and minimise the risk of security incidents and other impermissible uses or disclosures of EHI.[7] Because the Security Rule aims to allow the adoption of new technologies that will improve the quality and efficiency of patient care, it does not dictate all security measures that covered entities and business associates are required to implement. Instead, it requires that entities use any security measures that ‘reasonably and appropriately implement the standards and implementation specifications’.[8] In determining these measures, covered entities and business associates must consider:

  • the entity’s size, complexity and capabilities;
  • the entity’s technical infrastructure, hardware and software security capabilities;
  • the costs of security measures; and
  • the probability and criticality of potential risks to the entity’s EHI.[9]

Both the Privacy and Security Rules outline ‘standards’, which are high-level requirements, and ‘implementation specifications’, which are specific measures designed to ensure adherence to a standard. In contrast to the Privacy Rule, however, and in recognition of the Security Rule’s flexibility, implementation specifications under the Security Rule are either ‘required’ or ‘addressable’. ‘Addressable’ implementation specifications are not optional; rather, they permit the covered entity or business associate to determine whether the specification is a reasonable and appropriate safeguard in its environment, taking into consideration how that particular specification contributes to protecting EHI. If the specification is not reasonable and appropriate, the entity must document the reasons why and implement an equivalent alternative measure, if reasonable and appropriate.[10]

The Security Rule outlines standards and implementation specifications in four broad categories: administrative safeguards, physical safeguards, technical safeguards and organisational requirements. In broad terms, administrative safeguards refer to eight standards that require an entity covered by HIPAA to manage the implementation and maintenance of security measures that protect EHI.[11] Key implementation specifications include a risk analysis, designation of a security official, implementation of security measures to reduce EHI vulnerabilities, adoption of a workforce sanctions policy and a regular review of system activity.[12] Entities covered by HIPAA also must implement policies and procedures that authorise access to EHI consistent with the Privacy Rule, address security incidents (including the identification and response to known or suspected security incidents) and outline emergency and disaster responses, and must implement a security awareness and training programme for workforce members.[13]

Physical safeguards refer to policies and procedures that physically limit access to an entity’s EHI and include facility access, workstation and device and media controls.[14] Technical safeguards refer to the technology that protects and controls access to EHI, including access, audit and integrity controls, person or entity authentication, and transmission security.[15] Organisational requirements require business associates to comply with applicable Security Rule requirements (including reporting breaches and implementing policies and procedures), enter into business associate agreements (BAAs), and ensure that any subcontractors that create, receive, maintain or transmit EHI also comply with applicable requirements and enter into appropriate written agreements.[16]

The Privacy Rule

The Privacy Rule establishes standards governing when covered entities may use or disclose PHI. Except as required or permitted under the Privacy Rule, covered entities may not use or disclose PHI unless authorised to do so in writing by the individual who is the subject of the PHI (or the individual’s personal representative). ‘Authorisation’ is a term of art under the Privacy Rule: it refers to an individual’s written permission to use or disclose PHI in a manner not otherwise required or permitted by the Privacy Rule, such as for marketing purposes. An authorisation must contain certain core elements, including a description of the records to be disclosed and a statement notifying the individual that the information disclosed may be subject to redisclosure by the recipient and no longer will be protected under the Privacy Rule.[17]

There are two situations under which the Privacy Rule requires the disclosure of PHI:

  • to the individual who is the subject of the PHI (or the individual’s personal representative) at the individual’s request for access or an accounting of disclosures; and
  • to the HHS as part of a compliance investigation or enforcement action.[18]

Although the Privacy Rule can be restrictive, in practice, there are many situations where it permits the use or disclosure of PHI – most notably for the use or disclosure of PHI for treatment, payment,and healthcare operations purposes.[19] For example, an individual’s primary care physician may consult with a specialist about the treatment of a patient without obtaining the individual’s permission to disclose his or her information to the specialist. Similarly, a physician may contact the individual’s insurance carrier regarding the status of a claim to facilitate payment for services the physician has rendered to the individual. Additionally, a covered entity may use or disclose PHI to a business associate for operations purposes, such as utilisation review, quality assessment and improvement, auditing, business planning and development, and for legal or accounting services.[20] Covered entities are not required to obtain an individual’s authorisation for disclosure to a business associate of PHI necessary for the business associate to perform a service for the covered entity; however, covered entities and business associates are required to execute BAAs containing certain required provisions and assuring that the business associate will comply with Privacy and Security Rule requirements.[21]

Breach Notification Rule

The Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unencrypted PHI.[22] A breach is defined as the acquisition, access, use or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI, as determined by a risk assessment.[23] If a breach has occurred, the entity will notify the affected individuals and, depending on the size of the breach, will notify the OCR either at or near the time of discovery of the breach, or when the covered entity makes its annual report to the OCR.[24] The covered entity or business associate also may be required to notify the media and post a notice on the entity’s website.[25] For many entities, the desire to avoid negative coverage, and the ensuing erosion of public and patient trust that can occur from a data breach, are key motivators to building a strong HIPAA compliance programme.

The term ‘breach’ excludes:

  • any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a covered entity or a business associate, if made in good faith and within the scope of authority and if it does not result in further impermissible use or disclosure;
  • any inadvertent disclosure by a person authorised to access PHI at a covered entity or a business associate to another person authorised to access PHI at the same covered entity or business associate when the information received as a result of the disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule; and
  • a disclosure of PHI where a covered entity or business associate has a good-faith belief that an unauthorised person to whom the disclosure was made would not reasonably have been able to retain the information.[26]

Any acquisition, access, use or disclosure of PHI that does not qualify as an exception is presumed to be a breach, unless the covered entity or business can demonstrate that there is a low probability that the privacy or security of the PHI has been compromised by utilising a risk assessment based on at least the following factors:

  • the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • the unauthorised person who used the PHI or to whom the disclosure was made;
  • whether the PHI was actually acquired or viewed; and
  • the extent to which the risk to the PHI has been mitigated.[27]

Other key considerations include:

  • whether any sensitive financial information (e.g., account identifiers or social security numbers) or sensitive medical diagnoses or conditions were disclosed;
  • the relationship between the individual and the person who acquired or viewed the PHI;
  • whether the unauthorised person had an independent obligation to maintain the confidentiality of the PHI; and
  • whether the information was destroyed or returned.

Primary cybersecurity threat vectors for healthcare entities

A security incident, as defined by the Security Rule, is an attempted or successful access, use, disclosure, modification or destruction of information, or an interference with system operations in an information system. Entities covered by HIPAA are required to identify and respond to suspected or known security incidents, to mitigate the harmful effects of security incidents and todocument security incidents and their outcomes.

Despite the long-standing requirements for safeguarding systems and data arising from the Security and Privacy Rules, the healthcare sector continues to be a vulnerable target for threat actors. This is, in part, a result of the sensitive nature of the PHI produced, processed and stored by healthcare organisations. In 2021, healthcare data breaches led to the exposure of more than 37.1 million individuals’ sensitive information.[28] Although the total number of healthcare data breaches reported for the year was fewer than in 2020, the 64,180 data breaches received by the OCR represent a significant increase from pre-covid-19 pandemic levels.[29]

These figures and the trend of growing threat activity underscore the need for organisations to secure PHI. This effort starts with an exhaustive understanding of where that data resides within organisations’ networks. In 2021, OCR found the most common location for compromised data was network servers – representing 57 per cent of healthcare data breaches in 2021. Email represented the second most common location.[30]

The movement to cloud-based or hybrid network architecture makes the task of locating and securing all the areas where organisations’ sensitive data resides even more difficult. This is particularly true for small to medium-sized organisations who contract out many of their IT requirements. However, HIPAA’s mandated risk analysis and risk management require organisations to undertake this effort to understand the entirety of their networks, identify potentially insecure PHI and reduce vulnerabilities across its enterprise.[31] The top 10 healthcare data breaches reported to the OCR during the past five years have affected approximately 80 million individuals.[32] With respect to breaches reported to the OCR during the two-year period from 2019 to 2020, a substantial majority (71.87 per cent) were due to hacking or IT-related incidents affecting an average of approximately 80,500 individuals per incident.[33] Unauthorised access or disclosure accounted for approximately 19 per cent of breaches, and the remaining 10 per cent were attributed to improper disposal, misplacement and theft of PHI.[34] Healthcare providers have been affected the most, accounting for approximately 79.18 per cent of breach incidents; other targeted entities include business associates (11.11 per cent), health plans (9.42 per cent) and healthcare clearing houses (0.28 per cent).[35]


Ransomware attacks are perhaps the most formidable emerging cybersecurity threat for the healthcare industry, causing nearly half of all malware-related breaches targeting this sector.[36] Ransomware attacks on healthcare entities in the United States alone cost approximately US$7.8 billion in 2021,[37] a year that saw targeted ransomware attacks on the healthcare sector and a high number of related data breaches in part due to the easing of certain telehealth regulations by the HHS in response to the covid-19 pandemic.[38] In July 2022, the US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and US Department of Treasury issued a joint advisory on North Korean state-sponsored actors’ use of the Maui ransomware strain to target the healthcare and public health sectors.[39] Although healthcare entities are often aware of the typical consequences of a ransomware attack such as reputational harm, administrative burden and financial costs, it is important to recognise that the payment of a ransom to an entity that has been sanctioned by the US Department of Treasury’s Office of Foreign Assets Control (OFAC) may expose an organisation to additional liabilities, as highlighted by the aforementioned joint advisory.[40] Moreover, one study found that data breach remediation efforts, particularly those concerning ransomware attacks, can be associated with decreased patient care outcomes and negatively affected timeliness of care.[41]

In addition to the direct threat of infiltration to a healthcare system, covered entities should be aware of the risk of ransomware attacks on their business associates and how breaches at the vendor level can affect the covered entity’s operations. For example, cloud computing provider Blackbaud, Inc became aware of a large-scale ransomware attack in May 2020 that had been ongoing for approximately three months. According to information obtained from the cloud provider’s public statements and required government notifications, a cyber­criminal exfiltrated a subset of data from a self-hosted environment affecting millions of individuals across dozens of healthcare entities nationwide.

Business email compromise and phishing

Although ransomware attacks have increased in frequency and scale since the onset of the covid-19 pandemic, phishing attempts and targeted email compromise campaigns are probably the most common cybersecurity attacks on the healthcare industry.[42] Healthcare entities should ensure employees are routinely trained to be aware of the threat of phishing and typical techniques used in third-party emails that attempt to obtain sensitive information, such as employee account compromise, high-level executive fraud or impersonation, and bogus invoice schemes.

For example, spear phishing attempts in the healthcare sector often take timely topics and use targeted messaging to infiltrate an unsuspecting recipient’s system. Beginning in 2020, business email compromise schemes frequently used information about covid-19, particularly within the healthcare industry. The HHS has issued notifications regarding emails from hackers posing as centres for disease control and prevention, and claiming to provide information about covid-19 safety measures or a link to an ‘incident management system’, or posing as company employees providing a link to a new ‘disease management policy’.[43] At the height of the covid-19 pandemic, hackers impersonated suppliers to persuade in-house purchasing department employees to initiate wire transfers for personal protective equipment.[44] Agent Tesla, a remote access trojan capable of providing attackers with full computer or network access via accessing credentials, sensitive information, key strokes, screen activity and form-grabbing, launched a number of covid-19-related phishing campaigns specifically targeting the healthcare sector, including those with malware-containing attachments such as ‘COVID 19 NEW ORDER FACE MASKS’ or ‘COVID-19 Supplier Notice’.[45]

Insider threats

Insider threats play a disproportionately large role in the healthcare space, and the OCR observed in 2019 that 69 per cent of data breaches involving health sector entities had some nexus to an insider acting intentionally or inadvertently.[46] In its 2021 report to Congress, the OCR noted the single largest breach for the year resulted from two former employees hacking into a healthcare provider’s server, exposing the ePHI of 3,253,822 individuals.[47] The OCR recommends that the best way to guard against insider threats is to detect and prevent leakage of data through certain security protocols and processes. In terms of security processes, organisations should be aware of where data is stored, who is permitted to access specific types of data within the organisation, and how authorised users are permitted to interact with the data.[48] The OCR recommends that organisations implement safeguards, detection software and audits to promptly identify unauthorised access, and to be especially mindful of these processes in high-risk situations, such as when an employee is involuntarily dismissed.[49]

Advanced persistent threats

Long-term cybersecurity attacks often originate from hostile, state-sponsored foreign actors, known as advanced persistent threats (APT). The OCR has observed that the most concerning aspect of APTs is the ability of the threat actor to remain undetected by constantly modifying tactics that allow the APT to persist within an entity’s IT system.[50] APTs are routinely engaged in cyber­security attacks on healthcare entities in the United States and elsewhere, and frequently involve zero-day exploits.[51] The OCR recommends implementing certain safeguards, such as encryption and access controls to mitigate the harm caused by APTs. The HHS Cybersecurity Program has recommended additional tactics that organisations may implement to mitigate the potential harm caused by APTs: security monitoring, understanding APT tactics, increased identification of APTs, updating networks and VPNs (virtual private networks), and maintaining up-to-date IT resources to prevent vulnerabilities.[52]

Internet of Medical Things

Internet of Medical Things (IoMT) devices are able to collect, analyse and transmit healthcare data, saving the healthcare industry billions of dollars annually thanks to their ability to facilitate remote patient monitoring.[53] The increase in IoMT is due, in part, to the increased number of connected medical devices (there are approximately 120 million connected IoMT devices in the United States alone, all of which are potentially vulnerable to cyberattack). In April 2022, the US Food and Drug Administration announced updated draft guidance for cybersecurity in medical devices. This guidance addresses cybersecurity risks in medical devices through a total product life cycle approach.[54] This approach requires organisations to account for the security of their products from design to final use, leveraging measures such as a software bill of materials and a vulnerability management programme. This guidance coincides with the European Union’s proposed legislation, the Cyber Resilience Act, which seeks to regulate digital products during their life cycle through similar measures.[55]

Best practices for managing cyber intrusions

The threat of cyber intrusions in healthcare is varied, complex and has the potential to trigger substantial liability on the part of providers under the myriad of laws and regulations that may be implicated by a breach. Medical records and other PHI are highly valued bundles of information that command high prices on the dark web, thereby further encouraging cybercriminals to target healthcare providers. As such, being prepared for – and effectively responding to and managing – a security incident or breach of EHI is essential, particularly in light of the demanding regulatory requirements that apply to cybersecurity in the healthcare industry.

Risk assessments and security audits

The threshold step in preventing and mitigating security incidents and PHI-related breaches requires conducting a risk analysis that identifies and implements safeguards that carry out Security Rule standards and implementation specifications.[56] The risk analysis should be ‘an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate’.[57] According to the HHS, a risk analysis is ‘foundational’ to an entity’s compliance with the Security Rule and the protection of EHI.[58] Providers and their business associates should conduct an initial risk analysis and thereafter periodically repeat risk analyses as technology, amount or type of EHI, or other circumstances change, and when threats are detected.

The OCR issues annual guidance on the Security Rule and has consistently explained that the risk analysis is not a ‘one size fits all’ undertaking and does not guarantee compliance with the Security Rule. Instead, the OCR maintains that each risk analysis must be tailored to the ‘characteristics of the organization and its environment’.[59] Accordingly, covered entities and business associates should regularly review their size and complexity, the volume of their EHI and how it is used, and their technical capabilities and available resources. Because these factors can change rapidly, particularly as technology develops and healthcare delivery models evolve, entities subject to HIPAA’s Security Rule should assure that IT resources are current and commensurate with the amount and content of their EHI and the ways in which they use EHI.[60]

The OCR suggests that the following non-exhaustive list of questions can help guide an organisation’s risk analysis:

  • Has the organisation identified all the EHI that it creates, receives, maintains or transmits?
  • What are the external sources of EHI? For example, do vendors or consultants create, receive, maintain or transmit EHI?
  • What are the human, natural and environmental threats to information systems that contain EHI?[61]

OCR guidance also delineates specific areas that regulated entities should consider as a part of a comprehensive HIPAA-compliant risk analysis:

  • Assess current security measures: Organisations should assess and document the security measures an entity uses to safeguard EHI, whether security measures required by the Security Rule are in place, and if current security measures are configured and used properly.[62]
  • Determine the likelihood of threat occurrence: The Security Rule requires organisations to take into account the probability of potential risks to EHI. The results of this assessment, combined with the initial list of threats, will influence the determination of which threats the Security Rule requires protection against because they are ‘reasonably anticipated’.[63]
  • Determine the potential impact of threat occurrence: The Security Rule requires consideration of the ‘criticality’, or impact, of potential risks to confidentiality, integrity and availability of EHI.[64]
  • Determine the level of risk: Organisations should assign risk levels for all threat and vulnerability combinations identified during the risk analysis.[65]

Ultimately, covered entities and business associates should carefully consider the threat environment in which they operate and tailor the frequency of the risk assessment accordingly. For example, a provider that is a hospital system operating in multiple locations and providing services to a large number of patients – and any business associates of the provider – should strongly consider an annual or more frequent risk assessment to ensure that their systems and processes are secure. Regardless of an entity’s size and sophistication, however, a risk assessment may also be needed if the entity introduces new technologies to its operations, acquires other entities or facilities, or becomes aware of a specific type of breach experienced by a similarly situated entity.

Although the Security Rule does not require a specific format for documenting an entity’s risk analysis, it does require the risk analysis to be documented, and providers should take care to do so.[66]

Workforce training

According to Verizon’s 2022 data breach investigations report, the human factor continues to be the weak link for organisations’ cybersecurity practice.[67] Of the approximately 5,000 confirmed data breaches analysed for the report, 82 per cent involved a human element. Phishing and social engineering often lead to employees clicking on files or links that harvest credentials, which threat actors use to infiltrate systems and networks.[68]

When it comes to cybersecurity, a little bit of paranoia is a good thing. Consistent messaging from a security team and test-phishing campaigns go a long way to maintain diligence across the workforce. Targeted and engaged security training can bring to life the threats that exist in ways mass online training may not. Where heightened engagement cannot occur for everyone, organisations should focus their efforts on individuals and departments often targeted by threat actors owing to their privileges or access to sensitive data, including executives, human resources departments and accounting departments.

Updating systems and architecture

Zero-trust architecture moves past traditional security models that assumed everything inside a network should be implicitly trusted. The security framework starts with an assumption that a network is compromised and those seeking to gain access to the network must prove their identity and authority to do so. Instead, a zero-trust architecture protects modern, complex infrastructures by leveraging basic zero-trust tenants, including strong authentication methods, network segmentation, endpoint detection and response tools, and ‘least access’ or ‘least privilege’ policies, to name a few.[69]

Among the benefits of a zero-trust architecture, this framework reduces an organisation’s threat surface, increases the visibility of an organisation’s network and accounts for modern-day work models, where employees work from anywhere and use their own devices to connect to the network. In the Executive Order on Improving the Nation’s Cybersecurity, the Biden administration committed to moving the federal system’s security architecture, with an eye towards implementing a zero-trust architecture across agencies.[70] Organisations should follow suit.

Security incident and breach response

To respond effectively to a security incident and a potential breach of EHI, covered entities and business associates should have clear security incident procedures and response and reporting processes in place before the incident occurs. The security incident response plan should outline steps to take when a security incident occurs or is suspected. An entity’s workforce should be adequately trained regarding how to identify a security incident, including understanding early indications of a ransomware attack and common business email compromise and phishing schemes, and how and to whom to report a security incident or a breach of EHI. Entities should have a data backup plan that creates and maintains retrievable exact copies of EHI,[71] a disaster recovery plan that includes procedures to restore loss of data, and an emergency mode operation plan that includes procedures to enable continuation of critical business processes and protection of the security of EHI while operating during an emergency. Entities should periodically test and revise contingency and emergency response plans, assess the criticality of specific applications and data in support of other contingency plan components, and should periodically re-evaluate policies and procedures to confirm that they continue to meet Privacy and Security Rule requirements.

When covered entities or business associates become aware of a potential security incident, it is critical to respond in an organised, focused and prompt manner. The entity should have a designated team of response experts – whether inside or outside the entity – that is tasked with receiving reports of security incidents, responding promptly and investigating the reports. This response team should be able to identify, contain and ultimately eliminate the source of the incident and restore the entity’s IT systems to a secure state. The response team should, among other things, identify:

  • the genesis of the suspected incident;
  • the type and nature of the incident;
  • the duration of the incident and whether it is ongoing;
  • the extent of the incident, including affected data types and systems;
  • whether a breach of EHI occurred and, if so, the identities of affected individuals (which may include workforce members and patients);[72] and
  • the necessary steps to stop the incident (if ongoing) and to re-secure the affected information systems.

In the event of a ransomware attack, the response team also should advise the entity, along with legal counsel, on whether and how the compromised data may be retrieved.

As soon as the incident or breach is discovered, the entity should consult legal counsel to determine whether the incident must be reported, to whom, to what extent, and within what time frame. Even if an investigation is under way, immediate consideration of these matters is essential, as the Breach Notification Rule requires notice to affected individuals ‘without unreasonable delay’, and in no event more than 60 days from the date of discovery. Moreover, given the host of state laws that may be applicable in addition to HIPAA, determining whether the incident is reportable and to which agencies, and whether individual and media notices are required, is a critical but complex analysis. Legal counsel, therefore, must become intimately familiar with the incident and its consequences to effectively assess the entity’s reporting obligations and to help develop an appropriate timeline for reporting.

Heightened vigilance and responsiveness in post-covid world

The covid-19 pandemic heightened the need for covered entities and business associates to comprehensively conduct risk assessments and promptly respond to suspected breaches. As the United States raced to develop and deploy effective covid-19 vaccines and tens of millions of Americans received treatment and vaccinations in 2020 and 2021, healthcare providers were inundated with PHI. Hackers and other cybercriminals were aware of this, making healthcare providers increased targets for breaches.

Of particular concern surrounding the covid-19 pandemic and cybersecurity is the fact that the pandemic was not and is not an isolated public health crisis, but one that will last for years. As such, hackers and cybercriminals may have been more inclined during the pandemic to breach providers’ systems and to lie in wait to collect the myriad of PHI that continues to be collected. This type of breach tactic is not without precedent in healthcare. For example, in January 2021, the HHS announced a US$5.1 million settlement with Excellus Health Plan (Excellus), a health services corporation that provides health insurance coverage to citizens of New York State.[73] In September 2015, Excellus reported that a breach lasting from December 2013 to May 2015 resulted in the impermissible disclosure of 9.3 million individuals’ PHI.[74] According to the OCR, the hackers roamed undetected in Excellus’s systems and harvested PHI for more than a year.[75]

The Excellus settlement serves to underscore the increased need for vigilance in the post-covid-19 world. In particular, owing to the heightened potential for long-term attacks like the one demonstrated in the Excellus matter, entities should consider engaging in routine risk assessments to identify potential security vulnerabilities and breaches as early as possible.


[1] David C Rybicki, Gina L Bertolini and John H Lawrence are partners at K&L Gates LLP.

[2] As a general rule, the Health Insurance Portability and Accountability Act (HIPAA) pre-empts state laws pertaining to the privacy and security of health information, except where state laws provide greater privacy protections than those contained in the HIPAA Privacy Rules. In addition, many state laws mandate security incident or breach notification provisions in addition to those outlined in HIPAA’s Privacy and Security Rules. Accordingly, because HIPAA may not be the only regulatory framework that healthcare sector entities must observe in relation to data privacy and security, they should be mindful of other state and federal laws that apply to certain sensitive data, such as substance use disorders, genetic information, mental health and other sensitive diagnoses.

[3] 45 C.F.R. §160.103.

[4] The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was enacted as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. 111-5, 42 U.S.C. §17934. The HITECH Act applies to certain of HIPAA’s privacy and security provisions and creates liability for business associates under HIPAA’s Privacy and Security Rules. Prior to this statute and the US Department of Health and Human Services’s (HHS) 2013 HIPAA Final Rule (78 Fed. Reg. 5566 (25 January 2013), et seq.), business associate liability was limited to contractual remedies available under a mandatory business associate agreement (BAA) with a covered entity. Although the 2013 Final Rule identified specific provisions of HIPAA that apply to business associates, BAAs are still mandatory under HIPAA. The HITECH Act also established breach notification obligations through implementation of the Breach Notification Rule and expanded penalties for violations of the Privacy and Security Rules.

[5] 45 C.F.R. §160.401, et seq.

[6] See, e.g.,, ‘Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People’ (15 January 2021) (‘Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People’) ( (last accessed via archive search 10 May 2023)).

[7] 45 C.F.R. §164.306(a).

[8] ibid. §164.306(b)(1).

[9] ibid. §164.306(b)(2).

[10] ibid. §164.306(d)(3).

[11] ibid. §164.308.

[12] ibid. §164.308(a)(1)(ii), (a)(2), (b)(8).

[13] ibid. §164.308(a)(4), (a)(5)(ii), (a)(6), (a)(7)(i).

[14] ibid. §164.310(a)(2), (b)(2), (d)(1)–(d)(2).

[15] ibid. §164.312.

[16] ibid. §164.314.

[17] ibid. §164.508(c)(2)(iii).

[18] ibid. §164.502(a)(2).

[19] ibid. §164.502(a)(1). The term ‘healthcare operations’ refers to certain administrative, financial, legal and quality improvement activities necessary to support the covered entity’s treatment and payment functions. Ibid. §164.501.

[20] ibid. §164.501.

[21] ibid. §164.502(e)(2); see id. §164.508(b)(3).

[22] ibid. §164.404.

[23] ibid. §164.402.

[24] ibid. §§164.404, 164.408.

[25] ibid. §§164.406.

[26] ibid. §164.402(1).

[27] ibid. §164.402(2).

[28] US Department of Health and Human Services Office for Civil Rights (OCR), ‘Annual Report to Congress on Breaches of Unsecured Protected Health Information: For Calendar Year 2021’ (17 February 2023) (‘Annual Report to Congress on Breaches of Unsecured Protected Health Information: For Calendar Year 2021’) ( (last accessed 10 May 2023)).

[29] id.

[30] id.

[31] See 45 C.F.R. §164.308(a) and (b).

[32] See OCR Breach Portal: Cases Currently Under Investigation ( (last accessed 10 May 2023)).

[33] See OCR Breach Portal.

[34] See id.

[35] See id.

[36] Tenable Blog, ‘The Tenable Research 2020 Threat Landscape Retrospective’ (14 January 2021) ( (last accessed 10 May 2023)).

[37] Comparitech, ‘Ransomware attacks on US healthcare organizations cost $20.8bn in 2020’ (10 March 2021) (

[38] See SecurityScorecard & Darkowl, ‘Listening to Patient Data Security: Healthcare Industry and Telehealth Cybersecurity Risks (28 August 2020) ( (last accessed 10 May 2023)).

[39] Cybersecurity & Infrastructure Security Agency, et al., ‘Alert Code AA22-187A: North Korean State-Sponsored Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector’ (7 July 2022) ( (last accessed 10 May 2023)).

[40] id.

[41] Sung J Choi, et al., ‘Data breach remediation efforts and their implications for hospital quality’, Health Services Research (10 September 2019).

[42] HHS Cybersecurity Program, ‘Business Email Compromise in the Health Sector’ (9 July 2020) (Business Email Compromise in the Health Sector) ( (last accessed 10 May 2023)).

[43] White Paper: ‘Coronavirus Theme E-mail Phishing’, Health Sector Cybersecurity Coordination Center (HC3) (3 February 2020) ( (last accessed 10 May 2023)).

[44] See ‘Business Email Compromise in the Health Sector’, op. cit. note 42.

[45] Health Sector Cybersecurity Coordination Center (HC3), ‘Remote Access Trojan “Agent Tesla” Targets Organizations with COVID-themed Phishing Attacks’ (16 June 2020) ( (last accessed 10 May 2023)).

[46] See, ‘Summer 2019 OCR Cybersecurity Newsletter (29 August 2019’) (‘Summer 2019 OCR Cybersecurity Newsletter’) ( (last accessed 10 May 2023)).

[47] OCR, ‘Annual Report to Congress on Breaches of Unsecured Protected Health Information: For Calendar Year 2021’, op. cit. note 28.

[48] See ‘Summer 2019 OCR Cybersecurity Newsletter, op. cit. note 46.

[49] See id.

[50] See id.

[51] See id.

[52] See id.

[53] See TechTarget Network, IoT Agenda, ‘IoMT: A pulse on the internet of medical things’ (8 August 2018), (last accessed 10 May 2023)).

[54] US Food & Drug Administration, ‘Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions’ (April 2022) ( (last accessed 10 May 2023)).

[55] European Commission, Cyber Resilience Act (15 September 2022) ( (last accessed 10 May 2023)).

[56], ‘Guidance on Risk Analysis’ (22 July 2019) (HHS Guidance on Risk Analysis) ( (last accessed 10 May 2023)).

[57] 45 C.F.R. §164.308(a)(1)(ii)(A).

[58] HHS Guidance on Risk Analysis, op. cit. note 56.

[59] id.

[60] id.

[61] id.

[62] See 45 C.F.R. §§164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).

[63] ibid. §164.306(b)(2)(iv).

[64] id.

[65] See ibid. §§164.306(a)(2), 164.308(a)(1)(ii)(A), & 164.316(b)(1).

[66] See ibid. §164.316(b)(1).

[67] Verizon, ‘Data Breach Investigations Report 2022’ (May 2022) ( (last accessed 10 May 2023)).

[68] id.

[69] National Institute of Standards and Technology (NIST), Special Publication 800-207, ‘Zero Trust Architecture’ (10 August 2020) ( (last accessed 10 May 2023)).

[70] Executive Order on Improving the Nation’s Cybersecurity, (EO 14028) (12 May 2021) ( (last accessed 10 May 2023)).

[71] OCR recommends that entities periodically conduct test restorations to verify the integrity of backup data and, because some ransomware variants remove or otherwise disrupt online backups, consider maintaining offline backups. See, ‘FACT SHEET: Ransomware and HIPAA’ ( (last accessed 10 May 2023)).

[72] The presence of ransomware (or any malware) is a security incident under HIPAA that may result in an impermissible disclosure of electronic health information in violation of the Privacy Rule and, depending on the facts and circumstances, may constitute a breach, as defined by the Privacy Rule.

[73] ‘Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People’, op. cit. note 6.

[74] id.

[75] id.

Unlock unlimited access to all Global Investigations Review content