As of October 2025, the American Hospital Affiliation had logged 364 healthcare hacking incidents this yr. Unbelievably, 100% of the breached knowledge was unencrypted.
It was both uncovered as a result of stolen credentials unlocked entry to encrypted knowledge or saved in plain textual content outdoors of protected methods.
That’s greater than a healthcare cybersecurity statistic; it’s an indictment.
Hopefully, it’s additionally a wake-up name about how encryption is being applied, managed and audited throughout healthcare. If each compromised report could possibly be learn, leaders must ask: Is encryption actually functioning as our final line of protection or merely as a compliance checkbox?
The importance of the “100% unencrypted” discovering
The AHA report’s perception hits on the core of healthcare safety: encryption. Correctly utilized, encryption protects affected person knowledge in two important states:
- At relaxation, when saved on servers, backups or gadgets
- In transit, because it strikes between methods, endpoints and distributors
When encryption is lacking or when stolen credentials bypass it fully, knowledge turns into immediately exploitable.
Attackers don’t have to “break” encryption if they will merely log in utilizing a legit consumer’s keys. Even worse, a lot of the unencrypted knowledge in 2025 breaches existed outdoors the digital well being report (EHR): on analytics servers, imaging platforms, e mail methods and vendor integrations the place encryption enforcement was inconsistent or absent.
This sample reveals the deeper downside: Healthcare isn’t affected by an absence of encryption expertise, it’s affected by gaps in technique, governance and accountability round how encryption is utilized and verified throughout sprawling knowledge ecosystems.
Embedding encryption accountability into the healthcare establishment
For hospitals and supplier organizations, encryption must be a management subject. CIOs, CFOs and compliance executives all share accountability for the place delicate knowledge resides, the way it’s secured and who can entry it.
Inside the establishment:
- Audit knowledge areas. Determine each level the place PHI is saved or transmitted, together with backups and third-party integrations.
- Guarantee encryption at relaxation covers not solely EHR methods but additionally file servers, cellular gadgets and archived media.
- Validate encryption in transit throughout all channels, together with e mail, file switch, distant entry and API exchanges.
- Set up key-management self-discipline. Rotate keys commonly, limit administrative entry and log each key utilization occasion.
Externally, the identical accountability applies to distributors and expertise companions.
- Demand written proof of encryption requirements, together with algorithms used, key storage strategies and knowledge isolation practices.
- Be sure that contracts outline breach notification procedures and explicitly state what occurs if encryption keys are compromised.
Closing encryption gaps by means of safe infrastructure
For health-tech and SaaS suppliers, the AHA’s findings spotlight a unique however associated failure: fragmented encryption throughout distributed methods. The problem isn’t simply encrypting knowledge, it’s sustaining encryption integrity as knowledge flows by means of APIs, analytics pipelines and internet hosting environments.
Excessive-performing organizations apply a layered method:
- Encrypt PHI in each state—at relaxation, in transit and inside logs, cache or AI/analytics datasets.
- Implement managed key administration methods (KMS) that retailer keys outdoors software environments.
- Automate credential rotation and revocation to neutralize the impression of stolen credentials.
- Constantly monitor encryption standing throughout databases, backups and community site visitors.
Infrastructure performs a important supporting position. Knowledge ought to dwell in compliant, remoted environments with built-in encryption auditing and verifiable logging. Internet hosting platforms ought to provide HIPAA-audited encryption configurations, not simply generic “safe” environments.
The objective is to make encryption enforced by design, not reliant on guide coverage compliance.
Don’t be the following healthcare knowledge breach information headline
Encryption is just efficient when it’s common, enforced and regularly verified. The truth that each hacked report in 9 months was unencrypted will not be a failure of expertise—it’s a failure of implementation and oversight.
The trail ahead requires greater than technical remediation. It requires government accountability, vendor transparency and infrastructure alignment the place encryption is woven into each layer of knowledge administration.
At Liquid Internet, we assist healthcare organizations and expertise suppliers construct HIPAA-compliant internet hosting environments the place encryption is a verifiable, auditable a part of the infrastructure that underpins affected person belief, compliance and long-term resilience.
