AHA: Understand Your Risk Environment to Better Protect Patient Data
In the first part of its 2025 review of healthcare cybersecurity, the American Hospital Association (AHA) reports that in the year to October 3, 2025, the health records of 33 million Americans were compromised in 364 hacking incidents. While the figures are appalling, they are at least better than last year, when a new record was set, with 259 million Americans having had their sensitive health data stolen, 190 million of whom had their data stolen in a single incident – the ransomware attack on Change Healthcare.
It is too early to tell how bad this year will be in terms of data breaches, but over the previous four years, more than 700 large data breaches have been reported each year, the majority of which were due to hacking incidents. As the AHA points out in the report, 100% of breached records were unencrypted. Had the records been encrypted, there would not have been a data breach, as data breaches only ever involve unencrypted records unless decryption keys are stolen in addition to encrypted data.
The AHA analysis revealed that over the past few years, the majority of protected health information stolen in security incidents was not stolen from hospitals, as it was obtained from business associates, non-hospital providers, and health plans, including the Centers for Medicare and Medicaid Services, and only 10% of hacking incidents involved data theft from EHRs.
Healthcare data can be found in many different devices and systems, and healthcare providers may provide protected health information to dozens, if not hundreds, of business associates. Protecting all of that data can be a challenge, and one that will only be overcome if there is an accurate and up-to-date inventory of all assets and data locations, including network-connected medical devices. Healthcare providers must also keep track of their business associates and the data provided to each.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Without an accurate inventory, it is inevitable that data will be exposed and could potentially be accessed by unauthorized individuals, whether internal or external actors. “Before you can protect against data theft, you need to figure out what exactly you need to protect. How are you managing your data, and how secure is it?,” suggests the AHA. “That requires a dynamic process to continuously map your data, network, network traffic, applications, and devices to maintain an accurate and up-to-date asset inventory — including your inventory of network-connected medical devices.”
Further, when assessing cyber risk exposure, it is important to also understand third-party risk, including third-party applications and medical devices. Any technology vendor should supply a software-bill-of-materials (SBOM), which is a comprehensive record of all components used in building software. Without an SBOM, healthcare providers are likely to be unaware if any subcomponents used in a device or application contain a vulnerability that could be exploited.
Once an up-to-date inventory has been created, best practice defense measures should be implemented to protect all devices and data held by the organization. Third-party risk management can be a major challenge, but managing internal risks can be made straightforward by using a framework as a guide. Even enacting basic cybersecurity practices can significantly eliminate a considerable amount of cyber risk.
The AHA suggests using the HHS Cybersecurity Performance Goals as a guide for implementing high-impact measures to protect against the most common cybersecurity threats, following the recommendations and best practices in the Healthcare Industry Cybersecurity Practices (HICP), and adopting the NIST Cybersecurity Framework to better understand, assess, and prioritize risks.
It is also important to ensure that the workforce is trained on HIPAA, internal policies and procedures, and cybersecurity best practices. As Verizon pointed out in its Data Breach Investigations Report, a majority of data breaches involve the human element. Training will go a long way toward reducing human risks.
