Photo of Erik Dullea

As head of Husch Blackwell’s Cybersecurity practice group, Erik assists clients in all aspects of cybersecurity and information security compliance and data breach response. Erik previously served as the acting deputy associate general counsel for the National Security Agency’s cybersecurity practice group before returning to the firm in 2023.

Keypoint: With the increased frequency and severity of cyberattacks against healthcare systems, state and federal agencies strive to improve cybersecurity controls with varied success.

In November 2023, New York Governor Kathy Hochul announced proposed regulations that would be the first state regulations for hospitals in New York. The governor described the proposed regulation as a “nation-leading blueprint” that would complement the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule enforced by the U.S. Department of Health and Human Services (HHS).

You may recall on December 10, 2020 we wrote about the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announcement of a proposed rule  that would revise the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. In the proposed rule, HHS has solicited public comments, that were originally due within 60-days  of the proposed rule publication in the Federal Register.

The combination of a significant increase in COVID-19 cases, political tensions in the final days of a national election season, and law enforcement’s focus on election security created an opportunity for cybercriminals to target the computer networks of America’s healthcare and public health (HPH) sector. That opportunity has come to fruition this week.

On October 28, 2020 the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) published Alert AA20-302A (Alert) describing ransomware activity that has targeted the HPH sector. In the Alert, CISA, FBI and HHS assess that cybercriminals are targeting the HPH sector with TrickBot and BazarLoader malware, which are frequently followed by ransomware attacks, data theft, and disruption of healthcare services.