The U.S. Department of Health and Human Services (HHS) has proposed updates to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to secure patients’ health data following a surge in massive healthcare data leaks.
These stricter cybersecurity rules, proposed by the HHS’ Office for Civil Rights (OCR) and expected to be published as a final rule within 60 days, would require healthcare organizations to encrypt protected health information (PHI), implement multifactor authentication, and segment their networks to make it harder for attackers to move laterally through them.
“In recent years, there has been an alarming growth in the number of breaches affecting 500 or more individuals reported to the Department, the overall number of individuals affected by such breaches, and the rampant escalation of cyberattacks using hacking and ransomware,” the HHS’ proposal says.
“The Department is concerned by the increasing numbers of breaches and other cybersecurity incidents experienced by regulated entities. We are also increasingly concerned by the upward trend in the numbers of individuals affected by such incidents and the magnitude of the potential harms from such incidents.”
Reuters reports that Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technologies, also told reporters that the HIPAA cybersecurity rule updates were prompted by the ransomware attacks and massive breaches that have affected hospitals and Americans in recent years.
Neuberger added that implementing these rules would cost roughly $9 billion in the first year and over $6 billion during the following four years.
“The security rule [under HIPAA] was first published in 2003 and it was last revised in 2013, so this is the first update to this 20-year rule in over a decade, and it will require entities who maintain healthcare data to do things like encrypt that data so if attacked, it cannot be leaked on the web and endanger individuals,” Neuberger said.
“The cost of not acting is not only high, it also endangers critical infrastructure and patient safety, and it carries other harmful consequences.”
Most recently, one of the largest private U.S. healthcare systems, Ascension, notified nearly 5.6 million people that their personal and health data was stolen in a May Black Basta ransomware attack.
After the cyberattack, Ascension employees were forced to keep track of medications and procedures on paper because patients’ electronic records were no longer accessible. The healthcare giant also had to take some devices offline and divert emergency medical services to other healthcare units to prevent triage delays.
