A set of new requirements proposed by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights could bring healthcare organizations on par with modern cybersecurity practices. The proposal, published Friday in the Federal Register, includes requirements for multi-factor authentication, data encryption and regular scanning for vulnerabilities and breaches. The use of anti-malware protection is also mandatory for systems handling sensitive information, along with network segmentation, implementation of separate controls for data backup and recovery, and annual audits to check compliance.
HHS also shared a fact sheet outlining its proposal to update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rules. A 60-day public comment period is expected to begin soon. According to Reuters, Anne Neuberger, the US deputy national security adviser for cyber and emerging technologies, said at a press conference that the plan would cost $9 billion in the first year and $6 billion over the next four years. He said it would take a while. This proposal was made in view of the significant increase in large-scale breaches over the past few years. Just this year, the healthcare industry suffered multiple major cyberattacks, including hacks into Ascension and UnitedHealth systems, causing disruption to hospitals, clinics, and pharmacies.
According to the Office for Civil Rights, “From 2018 to 2023, reports of large-scale breaches increased by 102 percent, and the number of individuals affected by such breaches increased by 1002 percent. This was primarily due to hacking and ransom attacks. This is due to an increase in malware attacks.” “In 2023, more than 167 million individuals were affected by a major breach, which is a new record.”
