In 2025, healthcare organizations continue to face evolving cyber threats and increasing digitalization of healthcare services. October is Cybersecurity Awareness Month and is a great time to go over key components of cybersecurity awareness.
Cybersecurity threats can take place at any time. The Cybersecurity and Infrastructure Security (CISA) Administration urges all small and medium businesses and state, local, tribal, and territorial governments to actively take action to improve their cybersecurity.
What is Cybersecurity?
The CMS defines cybersecurity encompasses policies and programs aimed at protecting sensitive data, securing systems, medical devices, and networks ensuring compliance with security standards.
With the use of electronic technologies in healthcare settings steadily increasing, good cybersecurity is very important.
In 2021, 80 percent of physician practices, and 95 percent of hospitals had an Electronic Health Record (EHR).
The cost of cybersecurity losses can be expensive. For example, the CommonSpirit Health Attack in 2022 totaled $150 million in losses, 140 hospitals in 21 states were affected, it damaged reputation and patient trust. It disrupted patient care for many weeks and led to multiple class-action lawsuits.
CMS cybersecurity requirements include healthcare organizations’ responsibilities in protecting patient data through measures like cybersecurity awareness, risk management, data security, and incident response.
Key components of healthcare cybersecurity include:
Data Protection
- Safeguarding Electronic Protected Health Information (ePHI)
- Ensuring HIPAA compliance
- Implementing encryption standards
- Securing data transmission and storage
Infrastructure Security
- Protecting medical devices and equipment
- Securing network infrastructure
- Safeguarding telehealth platforms
- Maintaining clinical information systems
Risk Management
- Continuous Risk Assessment
- Vulnerability Management
- Incident Response Planning
- Business Continuity Planning
Access Control
- Identity and access management
- Authentication protocols
- User authorization levels
- Audit logging and monitoring
Compliance Requirements
- HIPAA Security Rule adherence
- Regular security assessments
- Documentation of security measures
- Periodic compliance audits
Operational Elements
- Staff training and awareness
- Security policy implementation
- Vendor security management
- Incident reporting procedures
How the CMS Midwest QIN-QIO Can Help Protect Your Organization from Cybersecurity Threats
CMS emphasizes the need for healthcare providers to maintain robust cybersecurity measures to protect sensitive patient information and ensure uninterrupted healthcare delivery. Midwest QIN-QIO offers resources and technical assistance to increase cybersecurity awareness and preparedness.
As a part of provider assessment work, QIN-QIOs includes an assessment of healthcare providers to determine their level of preparation against cyber-attack and then mitigation if an attack occurs. When gaps are identified, the Midwest QIN-QIOs will refer the provider to cybersecurity experts and help implement Administration for Strategic Preparedness and Response (ASPR) tools to increase provider resilience to cybersecurity events.
The CMS 13th Statement of Work Quality Innovation Network-Quality Improvement Organization (QIN-QIO) assists healthcare providers with the following cybersecurity compliance requirements:
HIPAA Security Rule compliance
- Administrative safeguards
- Physical safeguards
- Technical safeguards
NIST Cybersecurity Framework adherence
- Identify (ID)
- Protect (PR)
- Detect (DE)
- Respond (RS)
- Recover (RC)
Per the 13th SOW, 70 percent of nursing homes, acute care hospitals including rural emergency hospitals, and outpatient clinical practices have noted cybersecurity needs that have been connected to appropriate resources.
Cybersecurity is a new priority focus area to the 13th SOW. Midwest QIN-QIO is committed to increasing providers’ level of preparedness against cyber-attacks and improving mitigation.
Don’t wait, strengthen your cybersecurity today by reaching out to Midwest QIN-QIO for expert support.
Resources