A set of new requirements proposed by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights could bring healthcare organizations on par with modern cybersecurity practices. The proposal, published in the Federal Register last Friday, includes requirements for multi-factor authentication, data encryption, and regular scanning for vulnerabilities and breaches. It will also require anti-malware protection for systems handling sensitive information, along with network segmentation, implementation of separate controls for data backup and recovery, and annual audits to ensure compliance.
HHS also shared a fact sheet outlining proposals to update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rules. A 60-day public comment period will open soon. At a press briefing, Anne Neuberger, US deputy national security adviser for cyber and emerging technologies, said the plan would cost $9 billion in the first year and $6 billion over the next four years. Reuters report. This proposal comes in light of the notable increase in large-scale breaches over the past few years. This year alone, the healthcare industry has suffered several major cyberattacks, including hacks into Ascension and UnitedHealth systems that have wreaked havoc on hospitals, doctors’ offices and pharmacies.
According to the Office for Civil Rights, “From 2018 to 2023, reports of large-scale breaches increased 102% and the number of individuals affected by these breaches increased 1002%, largely due to an increase in hacking and ransomware attacks. It happened.” “In 2023, more than 167 million individuals will be affected by a large-scale breach. “This is a new record.”
