• Skip to primary navigation
  • Skip to main content
site logo
  • About
    • Approach
    • Partnerships
    • Mission
    • Leadership
    • Awards
    • Arraya Cares
  • Solutions
    • Solutions

    • Hybrid Infrastructure
      • Hyperconverged
      • Infrastructure as a Service
      • Servers, Storage, and Virtualization
      • Data Protection
      • Disaster Recovery & Business Continuity
    • Apps & Data
      • AI
      • Automation
      • Customizations
      • Visualizations & Integrations
      • Migrations
    • Network
      • Enterprise Networks
      • Wireless Connectivity
      • Cloud Networking Solutions
      • IoT
    • Cybersecurity
      • Endpoint Security
      • Network Security
      • Cloud Security
      • Application Security
    • Modern Workplace
      • Microsoft Licensing
      • Productivity & Collaboration
      • Modern Endpoint Deployment & Management
      • Microsoft Compliance & Risk
      • Backup
      • Cloud
  • Services
    • Services

    • Managed Services
      • Service Desk
      • Outsourced IT
      • Managed Security
      • Managed NOC
      • Arraya Adaptive Management for Microsoft Technologies
      • ADEPT: Arraya's White Label Program
    • Advisory Services
      • Assessments
      • Strategy
      • vCTO
      • vCISO
      • Enterprise Architecture
    • Staffing
      • Infrastructure Engineering
      • Security & Compliance
      • Application & Software
    • Professional Services
      • Project Management 
      • Systems Integration 
      • Mergers & Acquisitions
      • Knowledge & Skills Transfer 
  • Industries
    • Education
    • Finance
    • Healthcare
    • Legal
    • Manufacturing
    • Software and Services
  • Insights
    • News
    • Blog
    • Events
    • Videos
    • Case studies
  • Careers
  • CSP Login
search icon
Contact Us

What the Feds’ Healthcare Security Moves Mean For the Rest of Us

The healthcare industry is under cyber assault.  Few industries have been impacted by recent security incidents quite like healthcare companies.  In May, WannaCry shut down emergency rooms and other medical services for 16 National Health System facilities in the U.K.  Last month, the drug manufacturer Merck experienced a ransomware attack that affected all of their offices in the U.S.  Nuance Communications, a U.S.-based tech company that provides dictation and transcription services to hospitals and health systems, was attacked two weeks ago and experienced an outage that affected some services for over a week.

Unfortunately, the threat isn’t limited to just targeted attacks either.  In May, Molina Healthcare exposed data on an estimated 4.8 million patients for over a month following a website update that inadvertently provided access to patient claim data without requiring authentication.  The incident was reported to security researcher Brian Krebs, who wrote: “It’s unconscionable that such a basic, Security 101 flaw could still exist at a major healthcare provider today … However, the more I write about these lame but otherwise very serious vulnerabilities at healthcare firms the more I hear about how common they are from individual readers.”

The U.S. Department of Health and Human Services has taken notice of the threat.  In June, their Health Care Industry Cybersecurity Task Force released a report titled “Report on Improving Cybersecurity in the Health Care Industry” that identifies key concerns and recommendations.  The report is 88 pages long and was delivered to multiple members of Congress.

Prepare for the Auditors

The report leads with an image at the top of page 1 with big red letters next to a thermometer that reads “HEALTHCARE CYBERSECURITY IS IN CRITICAL CONDITION” with five primary findings:

  • Severe lack of security talent
  • Legacy equipment
  • Premature/over-connectivity
  • Vulnerabilities impact patient care
  • Known vulnerabilities epidemic

I’m guessing the authors of this report knew that members of Congress weren’t going to actually read an 88 page report on security, and thus this picture was a nice way to summarize the findings – it’s a pretty smart tactic if you ask me.  Additionally, the report defined the entire healthcare “ecosystem” to include not just hospitals and direct patient care facilities, but also encapsulated labs, pharmaceuticals, cemeteries, government offices, research facilities, insurance companies, and other entities that probably don’t consider themselves part of the healthcare industry.

There is plenty of good information contained in the report, but the biggest takeaway for me is the task force’s #1 recommendation:  “Define and streamline leadership, governance, and expectations for health care industry cybersecurity.”  As a veteran of the United States military, I’ve seen (and authored) that kind of  language before so I know that it typically implies someone isn’t doing a good enough job, so a leadership committee is going to write a whole bunch of rules and audit compliance regularly.  As I continued to read the report, sure enough there was the language I anticipated, just three paragraphs down from the header:

“The Health Care Cybersecurity Leader (described in recommendation 1.1) would work within the Department of Health and Human Services (HHS), externally with other federal agencies that impact health care, and other health care sector-related groups to reduce duplication and provide guidance and clarity in the areas of security and cyber risk, best practices, education, and regulations.”

In other words, here comes more regulations, checklists, and auditors.

Security Now or Auditors Later

Cyber security compliance is not a new concept.  Healthcare has been going through HIPAA audits for years.  Financial institutions have to deal with GLBA, Sarbanes Oxley, PCI, and state laws just to name a few.  The federal government and organizations that support it are regularly audited for compliance with regulations like NIST 800-171.  For the most part though, those requirements aren’t extremely difficult to comply with.  In many cases, there’s some opportunity to make assumptions or cases with an auditor as to how you meet a particular requirement that’s generically defined.

The recommendations in this report go a step further than that, opening the door for compliance to be based on a singular security framework – in this case the NIST Cyber Security Framework.  As part of the initial recommendation, the task force suggests that “Use of the National Institute of Standards and Technology (NIST) Cybersecurity Framework would standardize risk assessment and definitions to make sharing cyber information easier and allow the industry to understand the risk across the continuum of data.”  For most healthcare organizations this shouldn’t be too much of a stretch since HIPAA already requires some safeguards.  This precedent opens the door for the federal government to leverage this framework across all other industries though, many of which are definitely not prepared to meet that burden.

The point here is that, quite frankly, organizations simply are not taking basic steps to protect their data.  If they were, you wouldn’t see all these cases in the news.  In healthcare, the regulators have started to “smell the blood in the water” and government is positioning regulations as a method to force the issue.  Once that happens, it won’t be long before other industries with sensitive data feel the compliance wrath.

Is your organization ready? Arraya’s Cyber Security Practice is well-versed in the threats facing modern healthcare providers. Through a combination of real world experience, best of breed solutions, and an understanding of the challenges facing the industry, Arraya is able to help healthcare providers build a hardened barrier ready for always-advancing threats.

Reach out to us today by visiting https://www.arrayasolutions.com//contact-us/. Leave us a comment on this post using our social media presence: LinkedIn, Twitter, and Facebook. While you’re there, be sure to follow us to stay on top of our latest industry insights, special events, and company updates.

Arraya Insights
Back to Top
Arraya Solutions logo

We combine technological expertise and personal service to educate and empower our customers to solve their individual IT challenges.

518 Township Line Road
Suite 250, Blue Bell, PA 19422

p: (866) 229-6234     f: (610) 684-8655
e: info@arrayasolutions.com

  • Careers
  • Privacy Policy
  • Contact Us

© 2025 Arraya Solutions. All rights reserved.

Facebook Twitter YouTube LinkedIn
Manage Cookie Consent
We use cookies to enhance your experience. By selecting “Accept,” you agree to our cookie policy.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}