The US Department of Health and Human Services’ (HHS) Office for Civil Rights has introduced a set of proposed requirements aimed at aligning healthcare organizations with current cybersecurity standards. The proposal, made available in the Federal Register on Friday, mandates the adoption of multifactor authentication, data encryption, and regular vulnerability and breach scans. Additionally, it would require healthcare systems to implement anti-malware defenses for systems handling sensitive data, segment their networks, establish separate control measures for data backup and recovery, and undergo annual compliance audits.
HHS has also published a fact sheet that details the proposal, which aims to update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. A period for public comment, expected to last 60 days, will soon commence. According to a report by Reuters, US Deputy National Security Advisor for Cyber and Emerging Technology, Anne Neuberger, stated in a press briefing that the first-year implementation cost is estimated at $9 billion, with expenses of $6 billion annually for the following four years. This proposal arises amidst a significant rise in large-scale breaches over the past few years, including recent cyberattacks affecting healthcare giants like Ascension and UnitedHealth, leading to service interruptions at hospitals, doctor’s offices, and pharmacies.
According to the Office for Civil Rights, “From 2018-2023, reports of large breaches increased by 102 percent, and the number of individuals affected by such breaches rose by 1002 percent, primarily due to a rise in hacking and ransomware incidents.” In 2023 alone, over 167 million individuals were impacted by significant breaches, setting a new record.
