The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was signed into law on August 21, 1996. Today marks the 29th anniversary of the act that established federal standards of securing private heath information. 

As the cyber threat landscape grows more complex, the healthcare industry remains an attractive target for malicious actors. 

Below, experts share their perspectives on the modern privacy threats the sector faces as well as how these organizations can evolve to meet these challenges. 

The Healthcare Landscape

Theresa Lanowitz, Chief Evangelist at LevelBlue: 

The healthcare landscape has undergone massive digital transformation since 1996 when the Health Insurance Portability and Accountability Act (HIPAA) was first enacted. We now face a surge in sophisticated cyberattacks powered by artificial intelligence (AI). According to recent data, nearly half of healthcare organizations experienced a higher volume of attacks than just a year ago, but only 29% feel prepared for AI-driven threats like deepfakes and synthetic identity fraud. While AI tools promise greater efficiency and automation in healthcare, their rapid evolution is outpacing governance and cybersecurity controls, leaving protected health information (PHI) dangerously exposed.

Healthcare organizations must move beyond basic compliance and make cyber resilience a core business function. That means elevating cybersecurity to the C-suite agenda, aligning security teams with business goals, and embedding resilience into every stage of digital transformation. Now is the time for healthcare organizations to be proactive, intentional, and bold about cyber resilience — both to honor HIPAA’s mission and to ensure the protection of PHI in the age of AI.

Dr. Sean Kelly, Chief Medical Officer and SVP of Customer Strategy at Imprivata: 

As we approach the 29th anniversary of HIPAA, its core mission, protecting patient privacy and securing health data, has never been more relevant. Yet the landscape it governs has changed dramatically. Healthcare is now one of the most targeted industries for cyberattacks, and as hospitals increasingly turn to shared-use devices to enhance efficiency, they’re introducing more endpoints than ever. Without stronger access controls, real-time tracking, and formal governance, shared mobile devices could expose organizations to both cybersecurity threats and regulatory penalties under HIPAA.  

In today’s fast-paced, collaborative healthcare environment, shared mobile devices can easily become blind spots for security teams that lack proper identity verification, automated session timeouts, or audit trails. Recent data shows 74% of shared-use devices are frequently left signed in after use, and 79% of staff admit to sharing credentials when accessing them — leaving personal health information (PHI) vulnerable to anyone within reach. The challenge isn’t just locking systems down, it’s doing so in a way that preserves the speed and accessibility clinicians need. Healthcare organizations must modernize their security strategies to ensure that the efficiency gains from shared technology never come at the cost of patient privacy or HIPAA compliance.