Part 1 of the 2025 American Hospital Association (AHA) review of healthcare cybersecurity revealed that from January to October 3, 2025, there were 364 hacking incidents that resulted in the compromise of the health records of 33 million Americans. Although the numbers are terrible, they are better compared to 2024, with the theft of 259 million Americans’ sensitive health information. The theft of 190 million records was attributed to the Change Healthcare ransomware attack.
In the past four years, over 700 large data breach reports were submitted every year, most of which were because of hacking incidents. The AHA report showed that 100% of breached data files were unencrypted. If encryption had been implemented, the data breach could have been avoided. Data breaches only affect unencrypted data except if the attacker stole the decryption keys aside from encrypting the data.
The AHA analysis showed that in the last couple of years, most protected health information (PHI) stolen in security incidents was not thieved from hospitals, since it was stolen from non-hospital providers, business associates, and health plans, such as the Centers for Medicare and Medicaid Services. Also, just 10% of hacking incidents entailed the theft of EHRs’ data.
Healthcare information is stored in a variety of devices and systems, and healthcare companies may give PHI access to many business associates. Safeguarding all of that information is difficult, but it can be done with a detailed and updated listing of all assets and information locations, which include network-linked medical devices. Healthcare companies should also monitor their business associates and the information given to each.
With no exact inventory, it is unavoidable for data to be exposed and possibly accessed by unauthorized persons, including internal and external actors. To protect against data theft, it is necessary to constantly map your information, system, network traffic, programs, and devices to have a correct and updated resource inventory.
Additionally, if evaluating cyber risk exposure, it is necessary to know third-party risk, such as third-party programs and healthcare devices. Any technology seller must provide a software-bill-of-materials (SBOM), which is a detailed report of all parts utilized in creating software. If the SBOM is lacking, healthcare companies might not be aware when a subcomponent in a device or program has a vulnerability that can be taken advantage of.
After updating the inventory, recommended security measures must be executed to safeguard all devices and information kept by the company. Managing internal threats can be made simple by utilizing a framework guide. Enacting fundamental cybersecurity procedures can considerably remove a great deal of cyber risk.
The AHA recommends using the HHS Cybersecurity Performance Goals as a manual for using high-impact procedures to defend against the most frequent cybersecurity threats, adopting the advice and guidelines in the Healthcare Industry Cybersecurity Practices (HICP), and implementing the NIST Cybersecurity Framework to better know, evaluate, and prioritize problems.
It is likewise necessary to train employees on HIPAA, internal guidelines and procedures, and cybersecurity measures. Verizon noted in its Data Breach Investigations Report that most data breaches involve human factors. HIPAA training will help minimize human risks.
Image credit: Suriyo, AdobeStock
