A set of new requirements proposed by the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) could bring health care organizations up to par with modern cybersecurity practices. ProposalPosted in the Federal Register on Friday, it includes requirements for multifactor authentication, data encryption and regular scans for vulnerabilities and breaches. It will also mandate annual audits to check the implementation and compliance of separate controls for network segmentation, data backup and recovery, as well as the use of anti-malware protection for systems that handle sensitive information.
HHS also shared fact sheet Outline of proposal that would update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rules. A 60-day public comment period is expected to open soon. At a press briefing, Anne Neuberger, the US deputy national security adviser for cyber and emerging technologies, said the plan would cost $9 billion in the first year and $6 billion over the following four years to implement. reuters Report. The proposal comes in light of a significant increase in large-scale violations over the past few years. This year, the healthcare industry was hit by several major cyberattacks, including hacks into Ascension and UnitedHealth systems, causing disruptions at hospitals, doctors’ offices and pharmacies.
“From 2018-2023, reports of major breaches increased by 102 percent, and the number of individuals affected by such breaches increased by 1002 percent, primarily due to an increase in hacking and ransomware attacks,” according to civil rights office“In 2023, more than 167 million individuals were impacted by major breaches – a new record.”