By the EHR Association’s Privacy & Security Workgroup

Healthcare cybersecurity risks have surged to unprecedented levels over the 22 years since the HIPAA Security Rule was first implemented—and the 12 years since its last update. 

According to the HIPAA Wall of Shame,  of the 614 data breaches reported in 2013, 43% (269) affected the healthcare industry. That was the first year since 2005 that the healthcare sector ranked higher than business in terms of the number of data breaches. At 9 million, healthcare also recorded the second-highest number of affected individuals. 

Since then, breaches have consistently increased in frequency, with 2024 setting a record with 720 incidents affecting 186 million individuals. Hacking-related healthcare data breaches increased by 239% between January 1, 2018, and September 30, 2023, and ransomware rose by 278%. 

Over the years, the healthcare industry’s threat landscape has evolved, transitioning from opportunistic to increasingly sophisticated. 

• 2013–2016: Opportunistic attacks like the 2015 Anthem breach that impacted nearly 80 million records targeted outdated systems with weak defenses. 
• 2017–2020: Ransomware surged, with WannaCry and NotPetya exposing vulnerabilities in global healthcare systems. Attackers also began targeting hospitals for maximum disruption.
• 2021–Present: Threats became more coordinated and damaging. The massive 2023 Change Healthcare attack disrupted providers nationwide and exposed systemic weaknesses in authentication and cloud security.

These trends propelled cybersecurity to a board-level concern, with health system leaders allocating more budget dollars for security infrastructure, incident response, and tabletop exercises. However, these actions have had little impact on the numbers; 2025 is currently on track to break 2024’s record in the number of both breaches and impacted individuals

These trends propelled cybersecurity to a board-level concern, with health system leaders allocating more budget dollars for security infrastructure, incident response, and tabletop exercises.

Behind the Surge

The unprecedented strain on healthcare’s cybersecurity landscape is a convergence of broader technology adoption and systemic vulnerabilities. The pandemic-era expansion of telehealth introduced new avenues of attack through mobile apps, IoT devices, and home networks, expanding the perimeter beyond traditional clinical settings. At the same time, healthcare organizations’ ongoing reliance on an aging infrastructure has created a broad attack surface with inconsistent security maturity. Even as provider organizations adopt AI and automation to bolster threat detection and response, adversaries are weaponizing the same technologies to launch more sophisticated and evasive attacks.

Medical devices and vendor ecosystems have become high-risk entry points, often overlooked until damage has already been done. A compromised device manufacturer can act as a Trojan horse, silently infiltrating clinical environments until patient data is exfiltrated or workflows grind to a halt. From sleep monitors to dialysis machines, every connected system represents a potential vulnerability if vendors fail to patch quickly and consistently. The complexity of these interdependencies means that cybersecurity is no longer confined to IT departments—it’s embedded in the very tools clinicians use to deliver care.

Medical devices and vendor ecosystems have become high-risk entry points, often overlooked until damage has already been done. A compromised device manufacturer can act as a Trojan horse, silently infiltrating clinical environments until patient data is exfiltrated or workflows grind to a halt.

A new frontline in healthcare cybersecurity has also emerged in the form of third-party risk. This sector experiences the highest rate of breaches stemming from external vendors, and the consequences are often immediate and visible to patients: delayed treatments, rescheduled procedures, and disrupted medication delivery. These attacks go beyond operational hiccups. They are serious threats to patient safety. As digital health ecosystems grow more interconnected, cybersecurity must evolve from a compliance checkbox to a core pillar of clinical risk management.

Prescriptive Regulations Ahead?

The risk evolution has not gone unnoticed by regulatory agencies. In 2025, OCR proposed the first sweeping overhaul of the HIPAA Security Rule since 2013. 

In the executive summary of the HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information proposed rule, published to the Federal Register in January 2025, OCR noted that “cybersecurity is a concern that touches nearly every facet of modern healthcare, certainly more so than it did in 2003 or even 2013. Almost every stage of modern healthcare relies on stable and secure computer and network technologies.”

With technology now deeply ingrained in nearly every aspect of healthcare, and the industry’s risk profile further elevated by covered entities and business associates, the proposed Security Rule overhaul is designed to address:

• Significant changes in technology.
• Changes in breach trends and cyberattacks.
• OCR’s enforcement experience.
• Other guidelines, best practices, methodologies, procedures, and processes for protecting ePHI.
• Court decisions that affect the enforcement of the Security Rule.

The EHR Association awaits the release of the final regulation addressing HIPAA security requirements, as it stirred up a strong response from many stakeholders. The proposed regulatory adjustments and additions, as well as our recommended changes to the rule, as shared in our original comment letter to OCR, will be explored in our next Cybersecurity Awareness Month blog.