The Office of the National Coordinator for Health Information Technology (ONC) was created in 2004 by an executive order from President George W. Bush to develop a nationwide interoperable health IT infrastructure. In 2005, ONC awarded multimillion-dollar contracts to foster public-private collaboration and accelerate health IT adoption. The Federal Health IT Strategic Plan 2008-2012 aimed to transform the healthcare system by guiding federal agencies and stakeholders’ efforts. The 2009 HITECH Act bolstered health IT adoption, reduced costs, and empowered patients, while also legally establishing ONC. From 2010 onward, ONC launched various programs, certifications, and frameworks to support health IT implementation and interoperability, including the S&I Framework and the voluntary ONC Health IT Certification Program.

By 2011, a new strategic plan guided health IT adoption, and the 2014 Edition Final Rule introduced enhanced certification criteria. In 2014, ONC outlined a 10-year vision for interoperable health IT infrastructure, and by 2015, it released roadmaps to guide nationwide and federal IT initiatives, emphasizing standards and reducing information blocking. The 2016 21st Century Cures Act focused on interoperability and patient access to health information,

ONC - 20 Years ONC 20th Anniversary Commemoration

This research uncovers a significant data breach involving cloud storage provider Snowflake. A threat actor behind this breach revealed that they used stolen credentials to access a Snowflake employee's ServiceNow account, bypassing security measures and generating session tokens to exfiltrate a large amount of data. The breach, which impacted approximately 400 companies including customers of Ticketmaster and Santander Bank, has led to data being sold on cybercrime forums. Documents provided by the threat actor confirmed the extent of their access. The actor attempted to blackmail Snowflake for $20 million, but the company was unresponsive. Snowflake is investigating the breach, which was part of a broader pattern of identity-based cyberattacks. Hudson Rock continues to monitor and report on the developments of this case.

Snowflake, Cloud Storage Giant, Suffers Massive Breach: Hacker Confirms to Hudson Rock Access Through Infostealer Infection Hudson Rock

The Department of Health and Human Services (HHS) announced that hospitals and health systems impacted by the February 22 Change Healthcare cyberattack can require UnitedHealth Group to notify patients if their data was compromised. HHS’ Office for Civil Rights Director Melanie Fontes Rainer emphasized the importance of prioritizing HIPAA breach notifications. The American Hospital Association (AHA) expressed satisfaction with the decision, noting it aligns with their earlier request and helps avoid confusion and additional costs for hospitals. According to updated FAQs, if Change Healthcare handles the breach notifications as per HIPAA and HITECH standards, the affected entities will have no further notification obligations. UHG CEO Andrew Witty had previously agreed to this approach during May hearings with Senate and House committees.

HHS says hospitals impacted by Change Healthcare cyberattack can delegate breach notifications to UnitedHealth Group | AHA News aha.org

Healthcare delivery organizations (HDOs) are increasingly vulnerable to cybersecurity threats, with a 40% rise in reported breaches noted early this year, causing significant financial loss and impacting care delivery. High-profile ransomware attacks have crippled organizations like the University of Vermont Medical Center and Scripps, incurring million-dollar losses. Studies indicate that such cyber incidents jeopardize patient safety by delaying procedures and increasing mortality rates. To combat this, HDOs must strengthen their cybersecurity foundation through three main strategies: formalizing cybersecurity governance within a standing committee, establishing an integrated cyber and enterprise risk program, and measuring the effectiveness of their cybersecurity initiatives. These steps emphasize board-level accountability and require comprehensive oversight to ensure cybersecurity risks are effectively managed across all aspects of their operations.

Council Post: Healthcare Boards Must Be Accountable For Cybersecurity Forbes