A set of new requirements proposed by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights could bring healthcare organizations up to speed on cybersecurity practices. The Suggestionpublished Friday in the Federal Register includes requirements for multifactor authentication, data encryption and routine scanning for vulnerabilities and breaches. Additionally, the use of anti-malware protection for systems that handle sensitive information would become mandatory, along with network segmentation, implementation of separate controls for data backup and recovery, and annual audits to verify compliance.
HHS also shared a Fact sheet It lays out the proposal that would update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rule. A 60-day public comment period is expected to open soon. In a press conference, Anne Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, said implementing the plan would cost $9 billion in the first year and $6 billion over the following four years. Reuters Reports. The proposal comes amid a significant increase in large-scale breaches in recent years. This year alone, the healthcare industry has been hit by several major cyberattacks, including hacks into Ascension and UnitedHealth’s systems that caused disruptions to hospitals, doctor’s offices and pharmacies.
“From 2018 to 2023, reports of large breaches increased by 102 percent and the number of people affected by such breaches increased by 1,002 percent, primarily due to the increase in hacking and ransomware attacks,” the statement said Office for Civil Rights. “In 2023, over 167 million people were affected by major breaches – a new record.”
