Vitalii Gulenok/istock via Getty

Feature

Top cybersecurity strategies for healthcare payers

Healthcare payers can conduct internal risk assessments, train employees and stay informed about upcoming regulations to bolster cybersecurity efforts.

By
Published: 11 Feb 2025

Healthcare payers hold large amounts of sensitive patient data, making them just as vulnerable to cybersecurity risks as provider organizations. Whether the cyberthreats originate within a healthcare payer's systems or through a third-party vendor, payers face a complex cybersecurity landscape that requires a layered approach to mitigating risk.

Healthcare payers have been the subject of large-scale data breaches in the past. For example, in February 2015, Anthem disclosed a cyberattack that affected the data of nearly 79 million patients.

In September 2024, CMS notified 946,000 individuals of a third-party data breach that potentially exposed the information of Medicare beneficiaries.

Managing cybersecurity as a healthcare payer necessitates a proactive approach. Tackling risk internally, training employees and keeping up with legislative movement in the healthcare cybersecurity space can help payers strengthen their security posture.

Start with internal risk assessments

Assessing risk in a healthcare payer setting starts from within the organization.

"The true building block of any cybersecurity program is a risk assessment that is going to tell a payer where they have personal information or protected health information or other sensitive information and what the risks and vulnerabilities to that are," said Jennifer Pike, counsel in the healthcare group at Alston & Bird.

"If that step is not taken and there is not an underlying understanding of what your data is and what could potentially happen to it because of the payer's particular environment, that is where true risk stems from."

Ransomware, phishing, and other cyberthreat actor tactics will still threaten even the most advanced security architectures. But Pike suggested that measuring and accounting for internal risks first is paramount to maintaining a secure environment and handling external risks when they arise.

Healthcare payers can conduct risk assessments internally, or they can hire third-party firms to conduct them.

"The first step in that is making sure all of your internal stakeholders are involved and on board so that you can go to each area of your business, which often has many layers," Pike stated.

"There are subsidiaries and affiliates and payers are often engaged in acquisitions. Understanding all of those different pieces as they happen is important."

The risk assessment process will guide healthcare payers through every layer of their organization and help to determine where data lives and who has access to it.

"It's not an easy process, but one that pays dividends to complete," Pike added.

The HHS Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology maintain a security risk assessment tool that helps HIPAA-covered entities navigate compliance with the HIPAA Security Rule through risk assessments. While the tool is designed with smaller entities in mind, it provides a window into what OCR is focused on when it comes to analyzing risk under HIPAA, Pike noted.

Focus on training and incident response

In addition to conducting a thorough risk assessment, improving employee security training and a incident response planning are key focus areas that can help healthcare payers mitigate risk.

"I don't think it is unique to payers. It's any large organization with a lot of sensitive information in their hands, but it comes down to people and making sure that they are trained and understand what the risks of the environment are and those risks evolve," Pike said.

"Five years ago, ransomware wasn't really something anybody was concerned about, and then it started happening with more frequency and so there has been a need to train and test against that with your own organization."

Healthcare payers can use similar tactics to provider organizations when it comes to employee cybersecurity training and awareness. Phishing simulations can help organizations teach employees about common phishing schemes in a controlled environment. Tailoring security training to different groups within the organization can also help healthcare payers ensure that their training content remains engaging and effective.

In addition to training, Pike stressed the importance of implementing and practicing an incident response plan. While payers are not directly providing patient care, they play a key role in keeping the healthcare system in motion. As such, these organizations must have plans in place to get systems back online quickly in the event of a cybersecurity incident.

"It is just a matter of understanding that it takes some deep diving and turning over rocks and interviewing your people and understanding what's going on," Pike stated.

Pike advised leaning on third-party experts to build on existing training and incident response programs.

Understand existing, upcoming regulations

Staying informed about existing regulations and those on the horizon can also help healthcare payers maintain compliance and improve their security strategies.

"OCR came out at the beginning of 2024 with those voluntary cybersecurity performance goals," Pike noted. "It would probably do anybody who's regulated by HIPAA well to go back and familiarize yourself with those and start putting in the processes to implement those."

The cybersecurity performance goals are voluntary and consist of "essential" and "enhanced" goals to help organizations of all security maturity levels prioritize security.

What's more, HHS proposed updates to the HIPAA Security Rule in December 2024 for the first time in over a decade. Healthcare payers and other covered entities should keep an eye on whether the proposed updates move forward, and the costs and efforts needed to comply with them.

At the state level, state attorneys general have taken an interest in healthcare cybersecurity. For example, in 2024, New York State enacted new cybersecurity regulations that apply to hospitals around the state. While these regulations strictly apply to hospitals, they show that lawmakers are focused on improving cybersecurity across the healthcare sector.

"State AGs are becoming much more active in this area, and we have 50 states, and payers and other organizations operate in all of them or many of them,'" Pike noted. "It's hard to keep up and it's hard to figure out what the bottom line is for compliance when there are so many disparate areas. Just being aware of what's going on in the area and understanding the different enforcement avenues is important with the new administration."

Pike reasoned that even if federal efforts slow down, payers should pay close attention to what's happening in the regulatory landscape on the state level.

In addition to conducting risk assessments, leveling-up employee cybersecurity training and staying informed about regulations, Pike advised healthcare payers to remember that providers are not the only healthcare organization type to face cyberattacks and regulatory scrutiny.

"When we think of patient information and when we think of incidents, we tend to automatically think of providers. Historically, I think there's a lot more enforcement action with providers, but the same rules apply to payers," Pike emphasized.

"Don't take for granted that providers have been historically a focus. This is truly an area that payers need to pay attention to as well."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Dig Deeper on Healthcare policy and regulation