While digitalization has revolutionized healthcare delivery, patients now entrust clinicians with sensitive health information under the expectation that it will remain private and protected. This trust — crucial yet fragile — is grounded in the assurance of data security and confidentiality. However, because electronic health records (EHRs) hold large volumes of protected health information (PHI), they are attractive targets for cybercrime, including phishing and ransomware. As a result, cybersecurity is not just a technical concern — it is a vital component of patient care.
According to IBM’s Cost of a Data Breach Report, the average global cost of a data breach has surged to $4.88 million — a 10 percent increase from the previous year and the highest recorded to date. This is a concerning aspect of today’s healthcare world, and steps must be taken to ensure the utmost care in securing data.
GenAI Is Expanding the Attack Surface
As Generative AI reshapes business operations, a new wave of cybersecurity risks are introduced. Embedding AI tools into daily workflows expands the attack surface — AI-generated code may contain flaws, models can unintentionally expose sensitive data, and attackers can increasingly leverage threats like prompt injection, data poisoning, and deep fakes to infiltrate systems. The healthcare industry is facing a global shortage of cybersecurity professionals, with a recent HIMSS/Trimex study noting 74 percent of organizations feel understaffed to handle rising cyber threats.
Without proactive measures, the financial and operational burden of managing AI-driven security threats, including data breaches, regulatory penalties, reputational damage, and costly remediation, may become unsustainable. To remain resilient, businesses must re-evaluate their cybersecurity strategies and invest in advanced, AI-driven solutions and defenses that extend beyond the capabilities of traditional tools.
Five Key Strategies for Strengthening Data Security in Healthcare
To effectively navigate the evolving landscape, healthcare organizations must adopt a comprehensive and resilient approach to data security, including:
- Staff Education and Awareness: Human errors remain a leading cause of cyber incidents. Regular training is essential to help staff recognize phishing attempts, avoid unsafe links, use strong passwords, and understand their role in maintaining cybersecurity.
- Physical and Technical Security Controls: Complying with HIPAA and Health Information Trust Alliance (HITRUST) standards, strict safeguards must be implemented including access-controlled facilities; on-site personnel; secure environments for data servers and employee devices; use of secure VPNs when accessing client data remotely and following password hygiene protocols; multi-factor authentication; regular system updates; and mandatory real-time incident reporting.
- Data Encryption and Secure Exchange: All patient data, especially PHI, must be encrypted during storage and transmission to ensure maximum protection during the exchange of health information.
- Role-Based Access Control: Access to sensitive information must be restricted based on roles, with system administrators assigning credentials that limit users to only the data necessary for their responsibilities.
- Appropriate Third-Party Partnerships: It’s critical to carefully select any third-party partnerships to ensure they meet industry-recognized cybersecurity standards, including SOC (System and Organization Controls) and HITRUST certifications. Relationships should include performing regular security audits and ensuring partner contracts include clear security requirements.
Achieving Cybersecurity Gold Standard
Healthcare providers must implement robust security safeguards in compliance with HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the HITRUST framework to ensure cybersecurity and patient data privacy. Among these, HITRUST is widely recognized as the gold standard for healthcare data security, offering a comprehensive, certifiable approach to managing risks. Achieving HITRUST (r2, i1, or e1) certification demonstrates a strong commitment to the highest levels of security, privacy, and regulatory compliance. This is table stakes for doing business in the 21st century.
As cyberattacks and malware become more frequent and sophisticated, it is critical for healthcare providers to adapt to modern IT infrastructure. By deploying the right cybersecurity measures, the challenges of data affordability and accessibility can be addressed. Handicapping the medical system can lead to delays in diagnosis and disease prevention and thus place greater strain on providers, leading to higher physician burnout. As clinical staff shortages continue, healthcare organizations must build a strong and secure technology infrastructure that supports clinicians more efficiently.
About Phillina Lai
Phillina Lai is the Chief Legal and Compliance Officer at IKS Health. She has 20 years of experience building and leading legal teams across industries, including healthcare, energy, logistics, and distribution. At IKS Health, Lai leads the legal and compliance functions for both the United States and India. She earned her B.A. and M.A. degrees from Stanford University and her law degree from Northwestern University.
