What Are Telehealth Scams?

Telemedicine scams misuse virtual health care platforms to defraud patients, providers and government programs. These schemes often appear legitimate, only to exploit sensitive data or commit fraud for money.

The financial consequences can be significant. Within the last few years, the Justice Department has focused more on these digital health platforms, as they have become more embedded in everyday care delivery. In 2024, its National Health Care Fraud Enforcement Action pursued felony charges against 193 defendants across the United States.

Thirty-six of those were directly tied to telemedicine-related fraud schemes, which involved over $1.1 billion in fraudulent claims submitted to Medicare. The federal government has begun to crack down on virtual health care because the distance and deployment of technology are exacerbating the potential for fraud.

Common Types of Telehealth Scams

Online health care scams involve various tactics, including:

• Fake telehealth providers: Scammers pose as licensed doctors or health services, setting up fake websites that trick patients into providing payment or insurance details.
• Phantom billing: Fraudsters use stolen credentials or manipulate electronic health record (EHR) systems to bill Medicare or insurers for services never provided.
• Kickback schemes: Fraudulent telehealth operations often pay providers or marketers to refer large volumes of unnecessary services or prescriptions, violating anti-kickback statutes.
• Phishing and impersonation: Cybercriminals send emails or texts mimicking telehealth platforms, luring users to click malicious links or submit personal data under false pretences.

While fraudsters will use various deceptive tactics, they all have one goal in mind. Their objective is to steal a Social Security number, financial credentials, or insurance information and use it for fraudulent billing or identity theft. Telehealth services are expanding each day, so criminals are constantly coming up with new ways to target doctors and patients to evade authorities and health care companies.

Warning Signs to Be Aware Of

Telehealth scams often leave traces within digital systems that IT professionals can look for to prevent large-scale fraud and data breaches.

Abnormal Billing or Usage Patterns

Watch for sudden increases in telehealth billing codes or claims for services outside the organization’s typical offerings. Repeated billing from the same IP address or provider account may also indicate automation or fraudulent activity behind the scenes.

Suspicious Authentication Activity

Unauthorized login attempts can point to compromised credentials. Repeated failed logins or unusually long user sessions may signal bot-based attacks or unauthorized remote access.

Third-Party Platform Vulnerabilities

Be cautious when onboarding new telehealth tools or integrations. Vendors that cannot provide clear compliance documentation or attempt to bypass vetting processes should raise concerns. Unsupported APIs or unpatched tools can also be weak entry points for scammers.

Inconsistent Patient or Provider Data

Scammers often create slightly altered records to evade detection. For instance, discrepancies may occur in patient-reported visits. If the number of visits exceeds the records in an EHR system, this is a sign worth investigating.

This also goes for provider data. Scammers may try to procure fake identities using generating tools to pose as a doctor to steal or fabricate information.

Steps Health Care IT Teams Can Take

IT leaders can take action against the growing threat of telehealth scams by implementing several digital defences.

Implement Multi-Factor Authentication (MFA) and Access Controls

Enforce MFA across all telehealth platforms and patient portals. Limit access based on roles to ensure only authorized personnel can schedule virtual appointments or bill services.

Conduct Regular Security Audits and Log Monitoring

Schedule routine audits of login records, provider activity and claims data. Establish automated alerts to flag anomalies, such as login attempts from unfamiliar devices or sudden changes in billing behaviour. Early detection is critical for halting fraud before it spreads.

Vet Third-Party Vendors

Before onboarding any telehealth vendor, verify their HIPAA compliance, review their security documentation and conduct vulnerability assessments. Avoid integrations with platforms that lack transparent data handling practices or cannot support routine audits.

Communicate Risks and Best Practices to Patients

Work with clinical and communications teams to educate patients about safe telehealth practices. Create easy-to-understand guides that explain how to verify provider legitimacy and report concerns. Consider hosting security tips directly within patient portals.

Train Staff to Spot Red Flags

Educate clinical and administrative teams on recognizing phishing attempts and unexpected requests for sensitive data. For instance, scammers have previously sold fake at-home COVID-19 test kits in exchange for Medicare or personal information, then fraudulently billed Medicare. Teaching teams to verify sources before disclosing or entering data can prevent similar schemes.

Work With Legal and Compliance Teams

IT, legal and compliance teams should collaborate to maintain policies for responding to suspected breaches. They should also revisit telehealth workflows to ensure all virtual care tools align with regulatory standards and fraud prevention protocols.

Strengthening the Front Lines of Virtual Care

Telehealth has become an important service for patients with access to fewer health care resources. However, it offers various entry points for scammers to commit fraud. With this in mind, health care IT teams must stay alert and watch for the latest tactics in virtual health care scams. When implementing a mix of strategies, they can uphold the integrity of online medical care and maintain proactive defences.

By Zac Amos, ReHack

The post Combating the Rise of Telehealth Scams appeared first on .

Financial services offer up a good example. The sector faces huge pressure to protect sensitive data and prevent fraud. Over the past two decades, cybersecurity and operational resilience have been a priority for banking. Especially as physical branches continue to close at a steady rate, with 377 closures currently pencilled in for 2025, banks are more reliant on online platforms, with a need to protect.

Meeting the advancing cyber threat

Digital enablement has advanced rapidly because of the high financial risks associated with breaches and customer demand. In response to increased exposure to cyber threats, banks have embraced a proactive cybersecurity model and adopted multi-layered security measures. This includes implementing robust identification, advanced threat protection, and continuous staff training. These measures are not just about securing accounts, they are also about instilling consumer confidence.

The NHS, despite being a single entity, functions as a highly distributed system with many independent organisations and departments operating in different ways. This fragmentation makes standardising cybersecurity far more complex. The cyber threat to UK government is increasingly severe and advancing quickly, successful attacks can have a devastating impact on people’s lives, leading to missed appointments and cancelled procedures.

Healthcare data breaches can be just as, if not more, damaging than financial breaches. Unlike in banking, where fraud can often be reversed, a compromised patient record is irreversible. Yet levels of legacy technology in the NHS remain anywhere from 10% to 70%, elevating cyber risk and increasing vulnerability. Given that 60% of UK citizens worry about cyber-attacks disrupting NHS services, there is both a public expectation and a pressing need for stronger defences. So, what lessons can NHS organisations learn and how can they build cyber resilience?

Bridging the skills gap

A major challenge in both healthcare and banking services is the cybersecurity skills gap. However, banks have proactively addressed this by investing in specialist teams and working closely with technology providers. In contrast, a recent report from the National Audit Office revealed that many government departments, including NHS organisations, struggle to attract and retain cyber talent due to limited salaries and restrictive civil service recruitment processes.

While the NHS’ primary mission is to provide healthcare, cybersecurity is now a fundamental pillar of patient safety. Expecting NHS staff, who are not IT specialists, to manage increasingly complex cyber threats is neither practical or sustainable. Instead, outsourcing to cybersecurity experts and forming strategic partnerships with technology partners will be crucial. These technology partners have the resources, expertise, and continuous threat intelligence to stay ahead of emerging cyber risks, ensuring that NHS systems remain protected.

Lessons in identification, monitoring and testing

To strengthen cybersecurity resilience, NHS organisations must take a structured and proactive approach, in the same way that the banking sector has done so. An important first step is understanding what needs protection. This begins with comprehensive asset identification, mapping out critical systems, patient records, medical devices, and IT infrastructure. Once identified, a thorough risk assessment should follow to highlight vulnerabilities, whether that’s ransomware, phishing, or insider threats. Without this foundation, cybersecurity measures risk being reactive rather than strategic.

The banking sector prioritises protection through multi-layered security measures that combine technology, policy, and human vigilance. The NHS must adopt the same mindset. Advanced endpoint security, encryption, and AI-driven threat detection should work together with robust access controls and network segmentation to limit the spread of attacks. Real-time monitoring is another essential layer. Security Information and Event Management (SIEM) tools can be deployed to detect and analyse suspicious activity before it escalates. Automated alerting, anomaly detection, and well-defined incident response protocols ensure that breaches are identified and contained swiftly.

Cyber threats evolve constantly, and regular testing is key to maintaining resilience. Healthcare organisations should conduct penetration testing at least twice a year to uncover system weaknesses, alongside IT health checks to assess overall cybersecurity readiness. Process audits must ensure compliance with industry best practices, including NCSC guidelines, ITIL, and ISO 27001 standards.

A sense of urgency

Ultimately, cybersecurity can’t be an afterthought. As the highly anticipated 10-year plan looks to expedite the NHS from analogue to digital, the pace of transformation won’t slow down. With electronic patient records, remote patient monitoring, and AI-driven diagnostics becoming the norm, the NHS’s cyber exposure is only set to increase. Just as we trust banks to protect our money, we must ensure the NHS is equally equipped to protect our health data.

As the banking sector has embedded cybersecurity into its culture, the NHS must prioritise a security-first mindset at every level, from frontline healthcare staff to IT teams and leadership. By taking a structured, multi-layered, and continuously evolving approach, NHS Trusts can safeguard patient data, maintain public confidence, and ensure the resilience of digital healthcare systems.

By Afshin Attari, Senior Director of Public Sector & Unified Platforms at Exponential-e

The post What NHS Cybersecurity can Learn from the Banking Sector appeared first on .

Yet, healthcare providers continue to operate under tight budget constraints and limited personnel, without adequate resources to tackle the exploding cybercrime threat landscape. And as innovations develop at pace in the industry, from wearable health devices to telemedicine, IT managers are dealing with an ever-increasing number of endpoints.

From large healthcare systems to primary care practices, IT teams are often small, with one technician managing thousands of endpoints. Keeping track of so many endpoints across the network can pose challenges when it comes to patching, creating compliance and security problems. Adding to this, healthcare remains a highly distributed sector, with employees and IT assets often scattered across different estates, offices, and buildings.

Once attackers gain access to personal medical information, they can manipulate the data, cause operational disruption, and ultimately undermine public trust within an organisation. Thankfully, there are tools available for healthcare networks to reduce their attack surface and improve their ability to prevent, detect, and respond to cybercrime attacks.

Employees: the first line of defence 

The UK Cybersecurity breaches survey, published in April this year, recently revealed phishing as the most prevalent type of cybercrime in the UK. And, as AI and LLMs become widely adopted across organisations and more accessible, these attacks have become increasingly difficult to spot. With 88% of data breaches caused by human error, healthcare institutions must view their employees as the first line of defence against threat actors.

Comprehensive security awareness training and education is fundamental for healthcare professionals to identify phishing attacks in the first instance. Everyone – from clinicians to administrative staff to IT admins – must develop the skills to spot, avoid, and report common tactics used by threat actors. In training sessions, it can be useful to conduct phishing email simulations, so employees can gain real-life experience of what a suspicious email might look or sound like.

Training is a fundamental step towards building a culture of security and reducing healthcare cybercrime. Alongside increased employee education around phishing, IT teams can consider limiting user access to the absolute minimum. This reduces the negative impact of a bad actor, should they assume the identity of a legitimate user.

Back to Basics

Patching is a vital security tool for IT managers looking to safeguard sensitive patient information. Out-of-date operating systems and applications can leave doors open for intrusion or exploits. According to the Ponemon Institute, most data breaches (57%) can be directly attributed to attackers exploiting a known vulnerability that hadn’t been patched. To simplify system updates, healthcare institutions can consider patch management tools to automate numerous updates across all their machines. Processes such as patch auditing also make it easier to identify any failed or pending patches and continue monitoring for any incompatibility or performance issues to keep systems secure.

In the event of a successful attack, security and IT teams should also consider a robust backup system to prevent loss of cloud and endpoint data. This will ensure continued access to critical information, in the face of system compromise and ransomware attempts. By backing up their data and monitoring endpoint activity, healthcare institutions can better protect themselves and keep disruption to patient care to a minimum.

A solution like automated endpoint management gives IT teams all of this in one central source of truth, providing visibility over the full network in a single pane of glass, displaying maintenance and updates, security and backups, and most critically, a view of all endpoints which could pose a possible risk. This also allows IT teams to automate processes such as patching and endpoint hardening without having to manually access machines, in turn, simplifying operations and alleviating the pressures of limited access to skills, resources, and budget.

The road ahead for cybercrime in healthcare

Whilst necessary to improve the speed and availability of diagnosis and treatment, the increasing number of endpoints in healthcare can also open more attack vectors for those looking to compromise or abuse the systems assisting in care provision. The stakes remain incredibly high. Cyber incidents not only result in huge fines for the responsible parties but can also erode public trust in the sector and put people’s data, and even lives, at risk.

For healthcare IT teams, ensuring endpoint security, reducing instances of cybercrime, and creating frictionless patient-provider relationships are non-negotiable. But effectively managing shared endpoints spread across buildings and sites, while supporting providers and staff at scale with limited resources, is no mean feat.

IT managers can lean on solutions like automated endpoint management to free themselves from manual monitoring and threat response across thousands of endpoints. These systems make it possible to detect anomalies, implement fixes, and maintain security protocols automatically. They enable IT managers to focus on what matters most: empowering healthcare providers to provide exceptional care for their patients.

By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne

The post Why Healthcare Remains a Prime Target for Cybercrime and what IT Leaders can do about it appeared first on .

It provides a secure, scalable way to manage patient records, streamline medical research, and enhance data security across the healthcare ecosystem. Crucially, blockchain enables a unified system where patient records can move seamlessly across providers, across continents, ensuring a continuity of care wherever the patient is located. By offering an immutable and interoperable ledger, blockchain enables healthcare stakeholders—from physicians to researchers and pharmaceutical companies—to trust the accuracy and security of their data while maintaining compliance with industry standards.

Protecting and Empowering Patient Health Data

Cyberattacks on healthcare systems are becoming more frequent, directly impacting patient safety and trust. Last year, the NHS faced multiple cyberattacks, including those affecting NHS Dumfries and Galloway and Synnovis, disrupting essential services. Many healthcare providers still rely on outdated, fragmented storage systems, making them more vulnerable to breaches. Blockchain technology offers a much-needed alternative acting as a secure, time-stamped log of all interactions with sensitive data, making it easier to track changes and prevent tampering. Companies like BSV Blockchain are already leading the charge in applying blockchain to healthcare, ensuring secure solutions that provide greater control and security over vaccination records and other verified health data.

At the same time, patients deserve greater control over their own medical data. Blockchain allows them to set access permissions for their records, ensuring only authorised providers can view specific information. By eliminating third-party data custodians, blockchain restores trust in patient privacy and enables seamless, secure data sharing across healthcare platforms.

Patients can even grant temporary access to their records when needed, keeping control over who sees their data. This feature enhances interoperability within healthcare systems while ensuring that personal information remains protected. Additionally, blockchain’s scalability enables hospital networks to manage vast amounts of medical records efficiently and cost-effectively.

Accelerating Medical Research

Medical research thrives on data, but too often, that data is scattered and inaccessible. Scientific literature, clinical trial data, and genetic research are typically siloed, making collaboration difficult and slowing the pace of innovation. Blockchain simplifies this by enabling real-time data aggregation and secure sharing, all while preserving patient privacy.

Blockchain simplifies research agreements—like those between hospitals and pharmaceutical companies for clinical trials—by securely recording and automating them. This reduces paperwork, speeds up approvals, and makes collaboration between institutions more seamless. Researchers can gain access to verified datasets without compromising data integrity or patient confidentiality. This means faster breakthroughs, smoother trials, and life-saving treatments getting to patients more quickly.

Managing the Medicine Supply Chain

Beyond securing patient records and advancing research, blockchain is also making a tangible impact in pharmaceutical safety and supply chain management. Counterfeit medicines pose a serious risk to patient safety. In fact, a study from The Pharmaceutical Journal found that around 15,500 falsified medicine packs were identified in the UK’s authorised medicines supply chain over just two years. Ensuring the authenticity and traceability of medical products is crucial for manufacturers, healthcare providers, and patients alike.

Blockchain enhances supply chain security by creating a permanent record of every transaction, from raw material sourcing to distribution. Each medicine can be assigned a unique, time-stamped identifier, allowing healthcare professionals to verify its authenticity before administration. This level of traceability helps manufacturers and distributors maintain accountability while keeping counterfeit drugs out of the market.

The Future of Healthcare Security with Blockchain

Blockchain technology is already making healthcare more secure, scalable, and interoperable. By ensuring real-time, trusted data access for providers, researchers, and patients, it has the potential to redefine digital healthcare infrastructure. As cyber threats and data privacy concerns grow, the need for robust, blockchain-based solutions is more urgent than ever.

For healthcare professionals and organisations looking to enhance security, streamline research, and improve patient experiences, blockchain offers a proven and scalable solution. Now is the time to explore its potential and lead the next wave of digital healthcare transformation.

By Calvin Ayre, Founder at Ayre Group

The post Can Blockchain Restore Trust in Healthcare? A Look at Security, Scalability & Data Integrity appeared first on .

However, federal oversight is failing to keep pace with the escalating risks. A recent report revealed that the Health and Human Services (HHS) Office for Civil Rights (OCR) examined just 8 of 180 HIPAA requirements during audits, leaving critical gaps that expose healthcare organizations to compliance failures and serious data breaches.

In this high-risk environment, hospitals and healthcare providers can’t afford to wait for stricter enforcement – they must take matters into their own hands to secure patient data before the next breach occurs. Because, as any cybersecurity professional will tell you, it’s not a question of if a breach will happen, but when.

Balancing patient care with cybersecurity

Healthcare organizations face a delicate challenge: maintaining fast, efficient patient care while upholding rigorous cybersecurity standards. In high-pressure environments, healthcare workers often sidestep security protocols – whether by sharing passwords, reusing weak ones, or bypassing encryption – to save time. These shortcuts, while expedient in the moment, introduce critical vulnerabilities that cybercriminals can exploit.

The consequences of neglecting cybersecurity extend beyond compliance violations. A breach can disrupt hospital operations, compromise patient safety, and erode trust in the healthcare system. From delayed treatments to the exposure of sensitive patient records, these incidents have far-reaching effects that demand proactive measures to protect critical data.

Successfully balancing patient care with cybersecurity requires organizations to design systems that align with the realities of healthcare workflows. For example, requiring frequent password changes or complex authentication processes without considering the urgent nature of patient care may lead staff to prioritize speed over security. To address this, organizations should focus on implementing user-friendly tools, such as single sign-on systems and biometric authentication, which streamline access without compromising data protection.

Emerging threats

The landscape of healthcare cybersecurity is evolving rapidly, with emerging threats adding new layers of complexity. Cybercriminals are increasingly leveraging sophisticated tactics, such as AI-driven phishing campaigns and ransomware-as-a-service (RaaS), to exploit vulnerabilities in healthcare systems.

AI-driven phishing campaigns are particularly concerning. These attacks use machine learning to craft highly personalized and convincing emails, making them harder to detect. For instance, attackers might reference a specific patient case or use internal jargon to trick staff into divulging sensitive information. The success of these campaigns underscores the need for advanced email filtering tools and continuous staff training to identify and report suspicious activity.

Ransomware-as-a-service has also lowered the barrier for entry for cybercriminals, allowing less technically skilled individuals to execute high-impact attacks. Healthcare organizations are prime targets due to the critical nature of their services, which makes them more likely to pay ransoms to restore operations. These attacks can paralyze hospital systems, delay treatments, and compromise patient safety.

Another growing concern is the Internet of Medical Things (IoMT). Devices like smart monitors, infusion pumps, and wearable health trackers are increasingly connected to healthcare networks. While these devices improve patient care, they also expand the attack surface, providing cybercriminals with more entry points. Many IoMT devices lack robust security features, making them vulnerable to exploitation.

Reducing risk

To address persistent cybersecurity challenges in healthcare, organizations must adopt a proactive approach that balances security and operational efficiency. Implementing role-based access controls is a crucial step. This measure ensures employees can only access the data necessary for their specific tasks, limiting exposure to sensitive information and reducing the risk of breaches.

Tailored security training is another essential strategy. Programs should address the unique demands of healthcare environments, teaching staff how to identify phishing attempts and handle patient data securely under real-world conditions.

Fostering a culture of vigilance is equally critical. When patient data is treated as a valuable asset, employees are more likely to scrutinize requests for access and take necessary precautions. Simple practices, such as verifying unusual requests or questioning unfamiliar access attempts, help prevent lapses that could otherwise compromise sensitive information.

Additional measures

Healthcare professionals can further reduce cybersecurity risks by adopting the principle of “trust, but verify.” If a staff member receives an unusual request – particularly one asking for access to sensitive data – following up to confirm its legitimacy can prevent costly mistakes. A quick phone call or double-check can thwart social engineering attacks, where cybercriminals impersonate trusted individuals to manipulate staff.

Leadership roles, often prime targets for cybercriminals, require additional security layers. Advanced email filtering, multi-factor authentication, and other protective measures can reduce risks for executives and senior staff, safeguarding both individuals and the organization as a whole.

Final thoughts

The digital transformation of healthcare offers immense benefits but also exposes patient data to significant cybersecurity risks. With limited federal oversight and persistent enforcement gaps, healthcare organizations must take the lead in safeguarding sensitive information. By implementing strong security measures, fostering a culture of vigilance, and embedding cybersecurity into daily operations, they can protect both their operations and patient trust.

By Eva Pittas of Thoropass

The post Why the HIPAA Auditing Process is Broken appeared first on .

What Is Health Care Interoperability and Its Importance?

Health care experts juggle countless technologies simultaneously, including imaging machines, at-home medical devices and patient information software. Interoperability describes their connection to each other. Big data, machines and programs must sync and share information without compromising security. It is essential for quick triage, treatment and recovery.

Without secure systems, a single ransomware attack could compromise the golden hour — the first 60 minutes after a traumatic event — for countless in an emergency.

The surface area is ever-increasing, with numerous opportunities for hackers to take advantage of a backdoor or vulnerability. Entry into a customer service program could lead cybercriminals into billing software or an artificial intelligence (AI) database. The lackluster defensive measures of a sensor-based vitals monitor could threaten a hospital’s network security.

The expansiveness is why many could consider the seamless connection between medical devices a threat to patients instead of a boon. Interoperability is essential because information flow from integrations has these impacts on medical systems:

• Greater convenience
• Stronger customer service
• Better access to real-time patient records
• Boosted accuracy
• Improved safety
• Easier collaboration

These oversights must motivate more proactive responses from health care IT professionals to promote continuity of care and enhance the patient experience.

What Threats Arise Because of Interoperability and Why?

Threat actors compromised 51 million EHRs in 2022. Several global shifts caused the influx, with interoperability being part of the concern. The COVID-19 pandemic introduced a new era of health care with widespread telehealth and remote treatment options. These solutions required medical entities to normalize remote access and make systems as connected as possible. It also encouraged more people to have constant EHR access.

Data collection has also become easier and essential for competitive health care. This made information storage a priority, introducing a deeper need for cloud solutions. Not all providers operate with the same transparency or credentials. Hackers could take advantage of the most vulnerable with ease.

The combination of these factors, among others, created the perfect storm for these common cybersecurity threats in interoperable systems:

• Social engineering: More people became potential insider threats to secure systems because of increased access.
• Denial-of-service: Integrations give cybercriminals the choice of what systems they want to overwhelm to create disruptions.
• Ransomware: Connectivity makes it simpler for hackers to spread malicious codes and extricate what they encrypt.
• Phishing: The number of attack vectors gives threat actors more options on where to send campaigns, infecting multiple systems at a time.

How Can Health Care IT Professionals Reduce Risk?

IT staff must take action to make the most out of connected systems before hackers get inside.

Remove Silos

Just because technologies and programs are connected does not imply every department uses the same processes to store, transmit and use data.

Complications like cumbersome shadow IT, which is software and hardware that run outside of what’s sanctioned by the company, prevent interoperability from being as secure as it could be. Unauthorized assets can still communicate with the rest, but they might have security oversights, or the third-party provider could stop servicing them. Experts have to ensure procedures across teams use the same digital infrastructure and have the same hygiene habits.

Additionally, vendor lock-ins with legacy systems often force hospitals to use outdated software for their most critical devices, like CAT scanners. Companies can evaluate these partnerships and upgrade them as needed.

Balance Compliance With Proprietary Decision-Making

Health care must use the industry’s best practices from established agencies to receive preliminary guidance on how to manage interoperability. However, there are places where frameworks are insufficient. Medical facilities need to invest resources to comply with rules like HITRUST and ISO.

They should also assume responsibility for finding intermediary solutions for an organization’s current risks instead of awaiting legislative orders. Waiting for industry standards to catch up should not be an excuse for neglecting interoperability.

Limit Access and Data

Interoperability allows many endpoints to have a wealth of information from multiple sources. To keep this benefit available for health care professionals to leverage, IT teams must do two things — harness less data and make it harder to access.

Many authorization strategies can defend electronic resources connected to a network. Least-privilege measures make it so only those who need the information can get it. Zero-trust architecture protects interconnected devices at a big-picture level. It requires all users to request access, treating all entry attempts as a potential threat. Layering these methods with verification protocols like multifactor authentication and encryption will make them even stronger.

Data minimization is also an up-and-coming recommendation that is notably important in guidelines like the GDPR. It reminds all industries, including health care, that not all data is essential. Medical organizations must phase out collection of irrelevant metrics to reduce the amount of information hackers have on victims if they obtain entry.

They must also implement regular schedules to delete or store old data in secure environments outside of the interoperable ecosystem. Using blockchain alongside minimization is proven to enhance privacy while streamlining digital assets.

Reframing Health Care Interoperability as a Cybersecurity Asset

Threat actors see interoperability as a benefit to their operators, but the landscape can switch. The medical and IT industries can transform defensive strategies, making interoperability a protective technique instead of a gap. To do this, analysts must curate solutions based on the most prominent threats to interoperable medical technologies and use the connections between software and hardware to make cybersecurity stronger.

By Zac Amos, ReHack

The post Is Health Care Interoperability a Cybersecurity Risk? appeared first on .

Understanding the Proposed HIPAA Security Rule Update

The Department of Health and Human Services (HHS) proposed a HIPAA Security Rule update on December 27, 2024. This rule has remained unchanged since 2013, so the proposal aims to catch regulations up to a decade’s worth of shifts in cybercrime and health care data management.

As is to be expected of the first update in over 10 years, the document is lengthy, spanning nearly 125 pages. In general, though, the revised regulations add specificity to the Security Rule’s standards and definitions, clarify compliance requirements and hold covered entities to a higher cybersecurity standard.

Most notably, the update would require protections like encryption, multifactor authentication (MFA), network segmentation and antimalware software. Similarly, it mandates annual penetration testing, awareness training and compliance audits. Such measures are common in newer government regulations like the Cybersecurity and Maturity Model Certification but haven’t been strictly mandatory under HIPAA.

Other new requirements include:

• Regularly updated asset inventories and data maps
• Formal incident response plans
• Controls and notifications for ending a former employee’s access permissions
• Notifications when an entity enacts its contingency plans
• Considerations for third-party risks

Why HIPAA Needs Updated Cybersecurity Regulations

The extensive proposed update to the HIPAA Security Rule is an important shift. In many ways, the regulation is overdue for a change due to several key trends since its last revision.

Rising Cybercrime in Health Care

The most apparent reason why HIPAA needs a cybersecurity update is because cybercrime has skyrocketed. In the 10 years since regulators implemented the last Security Rule version, the health care sector has become a favorite target of cybercriminals.

In 2023, health care data breaches averaged $10.92 million in losses per incident, more than any other industry. Those costs do not tell the whole story, either. Hacking, ransomware and other security events can disrupt critical patient services, leaving people without access to the care they need.

Before this proposed update, HIPAA’s Security Rule did not reflect appropriate urgency relative to such attack trends. As cybercriminals’ techniques advance and target hospitals with rising frequency, tighter cybersecurity controls are essential.

Lack of Specificity in Current Rules

HIPAA also needs additional clarity within its Security Rule. The current revision leaves too much to interpretation to be a reliable standard in today’s cybersecurity environment.

As it stands today, HIPAA does not explicitly require encryption of protected health data. While it says covered entities must maintain “reasonable safeguards” to keep patient information confidential, it does not specify what such safeguards are. Many other parts of the Security Rule are similarly vague, which leaves too much room for improper protections.

While a court would likely find failing to implement encryption as a breach of the Security Rule, the regulation should be more specific upfront. The explicit standards in the proposed update would clarify expectations before covered entities experience a breach. The requirements could then protect patient data before an event, not only in post-breach litigation.

Outdated Regulations

Similarly, the existing version of the HIPAA Security Rule needs modernization. Cybercrime methods and technologies have advanced considerably over the past decade. As such, regulations need to address the threats and appropriate protections that are now prominent.

The proposed mandates for MFA, network segmentation and penetration testing are prime examples. All are standard defenses today — just 17% of security leaders in 2024 said they never pen test — but HIPAA does not yet require any of them. Consequently, medical organizations could technically be HIPAA-compliant but fall far below acceptable modern cybersecurity standards.

Requiring covered entities to implement newer defense strategies will help keep the industry up with changing cybersecurity trends. Cybercrime shifts quickly, so relevant regulations should likewise be adaptable.

Remaining Challenges to the Updated Rule

As important as an updated HIPAA Security Rule is, the proposal faces a few challenges. The medical sector and its regulators must consider these obstacles as they seek to modernize cybersecurity standards.

Implementation Costs

One significant barrier to the proposed update is how much it would cost to implement. Because the new rules cover much more and are far more specific, complying with them likely means investing in many technologies covered entities have not yet adopted. Such a transition could be prohibitively expensive in some cases.

Small and medium-sized enterprises would find it the hardest to comply. However, they may also need the additional protections the most, as attacks against them have risen by 150% in recent years. This situation leaves regulators in a difficult position of balancing appropriate security measures with making such protection accessible.

Administrative Roadblocks

The proposed update may also encounter resistance from lawmakers before it can go into effect. President Trump has already temporarily halted all rulemaking processes and has expressed interest in rolling back many of the government’s stricter regulations. It’s unclear if such a change would come to HIPAA, but the possibility may call the future of the proposal into question.

Executive administration aside, the update will likely go through at least one round of revisions before taking effect. Covered entities should not act before regulators establish a final rule, so attention to the ongoing revision process is necessary.

It’s Time for HIPAA to Evolve

While several roadblocks remain, the HIPAA Security Rule needs updating. The proposed changes — or a shift like them — are a necessary step forward to ensure regulations reflect the current threat environment.

Regardless of what happens on a regulatory level, health care businesses should consider how their security posture may need to evolve. Cybercrime is growing and transforming, so cybersecurity must do the same.

By Zac Amos, ReHack

The post Does HIPAA Need a Cybersecurity Update? appeared first on .

State of UK Healthcare at Present

The UK healthcare sector has experienced its fair share of high-profile cyberattacks involving data breaches, leading to significant operational disruptions and compromising patient care. The most notable being the WannaCry Ransomware attack in May 2017 which affected over 60 NHS trusts. The incident led to the cancellation of appointments and surgeries as well as infecting more than 200,000 computer systems across 150 countries while encrypting sensitive data. More recently, in June 2024, healthcare provider Synnovis was hit by a ransomware attack that forced several London hospitals to cancel services and surgeries with the hacking group publishing the personal data of patients – including NHS numbers, names and test codes.  This is just the tip of the iceberg and demonstrates the real-life impact on hospitals, their ability to deliver patient care and the victims who have their confidential patient information leaked – which could cause emotional distress and lead to fraud.

A key focus for many threat actors who target the healthcare industry is to extract the confidential patient information held within these institutions. This includes medical histories, diagnoses, treatment plans, and genetic information – all of which can be sold on the dark web or held for ransom for millions. In fact, according to Verizon’s 2024 Data Breach Investigations Report, the healthcare industry is one of the most targeted industries for cyberattacks and data breaches, with 98% of cybercriminals’ motives being financially driven. Unauthorised access or misuse of this data can severely impact patients and lead to personal embarrassment, discrimination, fraud or even psychological harm.

Data Protection Requires Compliance

The UK has robust data protection laws and frameworks that are designed to protect sensitive health information and ensure its ethical and lawful use. This includes the UK GDPR and Data Protection Act which defines health data as special category data that requires additional safeguards for its processing and security. NIS2 also aligns with these laws as it mandates clear requirements for organisations to adopt robust risk management measures to help protect patient data from breaches, unauthorised access and other cyber threats.

Addressing these data protection requirements goes beyond ensuring regulatory compliance – it is key to building patient trust, driving sustainable improvements in care delivery, and fostering continued innovation in medical technology and healthcare services. A clear example of such innovation is the use of AI within the healthcare industry which is driving advancements in diagnosis, treatment, and efficiency. It is enabling earlier and more accurate detection of diseases through predictive analysis and medical imaging which is having positive patient outcomes.

In general, this presents a complex set of data protection challenges for healthcare providers to navigate. These challenges arise not only from the diverse nature of data processing activities, such as patient care, research, and administrative functions but also from the intricate relationships with partner organisations, suppliers, and third-party service providers. With AI, issues around transparency, establishing an appropriate lawful basis, and sharing of such data with third parties or various other health services come into question.

Moreover, non-compliance with these regulations and frameworks can result in severe consequences for healthcare institutions, including substantial financial penalties, legacy actions, and reputational damage. The harshest fines can reach up to £17.5 million or 4% of annual turnover for GDPR breaches yet the maximum fine in the UK in the healthcare sector to date has been €90,334, issued by the ICO to The Tavistock & Portman NHS Foundation Trust. Should an organisation be found non-compliant with the NIS2 framework, they may incur maximum penalties of €7,000,000 or 1.4% of the annual global revenue, whichever the greater amount if the institution is classified as an ‘important entity’. For ‘essential entities’, the fine could reach up to either €10,000,000 or 2% of the global yearly revenue, again, whichever is the greater amount. The NHS specifically has its Code of Confidentiality which guides NHS organisations around handling patient information and the Digital Data Security and Protection Toolkit which aids healthcare organisations review and improve data security practises.

Operational disruptions, increased oversight and costly remediation measures can further impact severe delivery and patient care. Failure to comply erodes trust among patients and partners, risks disqualification from contracts, and stifles innovation. Ultimately, robust data protection and cybersecurity are essential to maintaining patient safety, trust, and institutional resilience.

Outsourcing a DPO is an Option

Responsibility for ensuring data protection compliance typically falls on the shoulders of the Data Protection Officer (DPO) but because there is a shortage of skills within the data protection industry, finding a DPO that has the relevant experience or qualifications is a challenge in itself. Often, security professionals within the company, like the CISO, or Heads of Security, Legal or IT may include DPO responsibilities within their job roles, but this would generally be considered a conflict of interest (and therefore non-compliant). This is because, even if a DPO is recruited in-house, they may struggle to maintain independence from other business functions. There may also be budgetary restrictions in place – an issue well documented within the healthcare sector – where hiring a dedicated DPO will be difficult. As an alternative solution, it is recommended organisations obtain the DPO expertise through consultancy or DPO as a Service which can be full-time or on a part-time basis, according to demand.

DPO as a Service is a structured approach to enhancing data protection and compliance. It uses assistance and expertise from certified data protection experts to help the organisation review and prioritise its data protection goals. These experts can also help the business stay compliant with the law by offering guidance and overseeing adherence, playing a crucial role in the success of the data protection programme. The outcome is a thorough, cost-efficient, and fully accountable service that ensures compliance with all relevant policies, procedures, and legal obligations.

With the real threat of suffering a cyberattack, having a DPO – whether in-house or outsourced – is essential for healthcare organisations due to the sensitive nature of the data they handle. The industry has several regulations and laws that require compliance and address the need to safeguard patient personal data and mitigate the impact of suffering a data breach. By having a dedicated expert focused on data protection, healthcare institutions can build trust with patients, avoid legal penalties, and ensure the integrity and confidentiality of patient information. Thankfully, there are options available to those who don’t already have a dedicated DPO in place.

By Chris Linnell, Associate Director – Data Privacy at Bridewell

The post Addressing Data Protection and Security Effectively Within Healthcare appeared first on .

Healthcare providers must urgently review and update their email security strategies to protect patients and personnel from the rising tide of malicious emails.

Why healthcare is a prime target

While phishing is a common threat to most sectors, healthcare has become a favourite target. The industry’s extensive store of medical records makes for a very lucrative prize – in fact, research indicates that a single record can fetch up to 20 times the price of credit card data on the dark web. Medical records are stuffed with personally identifiable information (PII) that can be used to fuel further malicious activity, and much of this data is permanent, giving it a long shelf life.

The sector is also highly vulnerable to ransom and blackmail tactics. Criminal gangs will routinely threaten to leak sensitive medical records online unless the target organisation pays up. Disrupting essential healthcare services can have disastrous consequences for patients’ wellbeing and cybercriminals know that desperate organisations will pay a hefty ransom to halt an active attack.

Healthcare providers are also seen as something of an easy target – one that often struggles to find the budget and resources to keep their IT and security systems up-to-date. Healthcare’s vast ecosystem of third-party vendors also presents significant vulnerabilities, expanding the number of entry points criminals can exploit.

The impact of attacks on the healthcare sector has been demonstrated in multiple recent incidents including the Synnovis breach, which caused the cancellation of thousands of appointments, and the massive data breach suffered by NHS Scotland.

Why high staff turnover is an overlooked weak link

Alongside technical issues, the sector is particularly vulnerable to social engineering tactics like phishing due to its high rate of employee turnover.

Frequent onboarding of new staff means that many are unfamiliar with internal security protocols and communication patterns, making it easier for cybercriminals to carry out impersonation attacks. This also means employees are less likely to know their colleagues personally, making it harder to spot the impersonation tactics widely used in phishing.

Compounding this, healthcare professionals operate in high-pressure, fast-paced environments. When workloads are heavy and time is scarce, staff are more likely to open and act on emails without scrutinising them carefully.

The rise of sophisticated Vendor Email Compromise (VEC)

Most healthcare providers operate within vast and complex supply chain webs, with large numbers of third-party vendors, contractors, and others requiring regular access to IT systems. This leaves the healthcare industry highly exposed to an increasingly popular tactic known as Vendor Email Compromise (VEC).

Unlike traditional phishing, where attackers impersonate internal employees, VEC targets trusted third-party vendors. We have seen VEC attacks on healthcare surge by 60% in the past year alone.

In these attacks, cybercriminals will often impersonate trusted contacts using email spoofing techniques to hide their identities. More advanced attackers will go as far as infiltrating vendor email accounts with account takeover tactics, and then send malicious emails directly from the legitimate email account. Their goal is to manipulate ongoing communications to deceive healthcare staff into sharing data and login credentials or transferring funds to the attackers’ accounts directly.

Moving beyond employee awareness training

Increasing cyber threat awareness through employee training has long been a favoured tactic to countering these attacks. However, while still important, it is no longer enough to protect healthcare organisations from today’s sophisticated cyber threats.

Modern phishing attacks often appear highly realistic, especially in today’s generative AI era, where threat actors can quickly and accurately craft sophisticated emails that closely mimic trusted contacts. These attacks can not only easily evade detection by employees – even the most security aware employees – they can also bypass traditional email security tools. These tools are usually based on policies that look for known indicators of compromise, like malicious links or bad senders. By omitting these indicators and instead relying on social engineering, attackers are able to successfully compromise their targets without raising any red flags.

To counter these threats, healthcare organisations must adopt advanced security measures that extend beyond traditional awareness programs and email security technologies.

Solutions powered by machine learning and artificial intelligence have a major role to play against today’s modern phishing attacks. By learning and baselining “normal” email behaviour, these solutions can detect and block malicious anomalies before they reach an employee’s inbox. These systems continuously adapt to evolving threats, offering protection against even the most convincing impersonation attempts.

Layering technical solutions with ongoing training and phishing simulations provides the most effective defence. While it is valuable for personnel to be aware of common phishing tactics, they should not be expected to spot them reliably every single time.

The need for regulatory evolution

Regulatory bodies also have an important role to play in supporting healthcare providers as they manage the growing volume of cyberattacks. However, many compliance frameworks remain focused on legacy security issues, leaving healthcare providers vulnerable to new and fast-changing tactics like VEC and AI-assisted phishing.

Regulators need to ensure there are steps in place to frequently review the state of play in cyber threats to the sector, and update guidance and mandates accordingly.

Enforcing the implementation of specific processes like multifactor authentication and steering organisations towards stronger, behavioural-based email security will help to mitigate these threats. Prioritising vendor risk management and ensuring consistent cybersecurity protocols across the supply chain will also reduce the risk of VEC attacks.

A proactive future for healthcare email cybersecurity

It’s clear that cybercriminal gangs are only growing more aggressive and brutal in their attacks on healthcare, emboldened by the many successful raids we have seen over the last few years.

Implementing multi-layered defence strategies, including advanced AI-powered systems, will be key to countering VEC and other phishing threats. By combining technological solutions with tough regulatory frameworks and continuous staff training, healthcare providers can better protect their operations, sensitive data, and, most importantly, patient safety.

By Mike Britton, CIO at Abnormal Security

The post Countering the Rise of Email Threats Against Healthcare appeared first on .

Just last month, a cyberattack that impacted several London hospitals including King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust resulted in over 1,000 planned operations and 3,000 outpatient appointments being postponed. According to the founder of the UK’s National Cyber Security Centre (NCSC), this might not be an anomaly, thanks to the NHS’s outdated IT systems and lack of basic security practices.

Just like the infamous 2017 WannaCry attack, the incident serves as a reminder of the importance of data protection for healthcare organisations. With budget concerns and talent shortages rife throughout the sector, it’s easy to see why implementing robust cybersecurity strategies can slip down the priority list, however in today’s digital landscape, it is a necessity.

A costly business

Research released last year revealed that three in four (76%) healthcare organisations around the world have experienced a successful ransomware attack and two thirds (65%) have experienced data loss from other types of attack. almost half (43%) of those organisations consider data security as their primary risk. This comes ahead of economic uncertainty (39%) and the adoption of emerging technologies like AI (32%).

A cyberattack has the potential to destroy any business. When it comes to the healthcare industry, especially the UK’s National Health Service (NHS) which services a large portion of the population, an attack feels more personal. Its impact is widespread and unavoidable. At a base level, cyberattacks can disrupt medical services and cripple hospital operations. This is because, when systems are down, essential patient information is inaccessible. This can delay medical procedures and compromise patient care. It can also increase the risk of medical errors and negatively impact treatment outcomes.

Beyond this, cyberattacks also frequently result in hefty financial costs. Sometimes this is in the form of immediate ransomware payments, however, any prolonged downtime and recovery following an attack could also have an impact. In the healthcare space, it can be even more tempting to pay off the attackers, due to the sensitivity of the information they manage to get hold of.

Another implication which isn’t always considered is the impact a cyberattack will have in terms of patient trust. A cyberattack in which malicious actors manage to access sensitive data can lead to a loss of confidence in an organisation’s data safeguarding abilities and can seriously damage its long-term reputation.

Safeguarding the health industry against the inevitable

In today’s digital age, the question is not if a healthcare organisation will face a cyberattack, but when. With that in mind, those in the health sector must be ready to mitigate the effects and recover quickly. Here are some ways in which health organisations can improve their safeguarding and protect data from attackers:

• Implement a data backup and recovery plan designed for the safeguarding of essential health data and ensure business continuity. Backup processes should capture all critical data and be executed at regular intervals. Coupled with a swift recovery process, data backup and recovery help minimise downtime and ensure business continuity when data is lost due to malicious activities.
• Invest in cyber awareness training. Develop and implement an ongoing cyber awareness programme to educate the entire organisation on the latest cyber threats and the policies to avoid them. The programme should be continually updated to reflect emerging threats and remain a critical line of defense in identifying and thwarting potential cybercrimes.
• Deploying advanced security technologies like firewalls, anti-malware tools, and intrusion detection systems that use AI and machine learning for predictive threat analysis and response.
• Regularly stress test and break systems to identify where the weak points are. Often organisations – especially within the public sector – implement security strategies and then wait until an incident occurs to see whether their framework is effective. With the regularity of attacks in the current landscape, this cannot adequately anticipate the scale at which breaches are attempted.

The ability to deliver effective healthcare services relies on data. It is what enables nurses and doctors to diagnose their patients, it is what ensures that patients are not given medication that they are allergic to, and it is what helps us as a society to develop life-saving treatments and innovations. Unfortunately, attackers know this, and they are not above using it to their advantage.

Whilst facing cyberattacks is inevitable for healthcare organisations, losing data doesn’t have to be. Data protection strategies and cybersecurity tools can enhance defense mechanisms and improve the healthcare industry’s ability to respond promptly to emerging threats.

By Oliver Norman, Regional Vice President for UK & Ireland at Veritas Technologies

The post Safeguarding our Health -Why Data Protection is Key for Today’s Healthcare Organisations appeared first on .