New HHS Proposal Aims to Upgrade Cybersecurity in Healthcare

The HHS has proposed a new set of requirements aimed at bringing healthcare organizations in line with modern cybersecurity practices. The proposal, which was posted to the Federal Register, includes mandates for multifactor authentication, data encryption, and routine scans for vulnerabilities and breaches. It also requires the use of anti-malware protection for systems handling sensitive data, network segmentation, separate controls for data backup and recovery, and annual audits for compliance. The proposal comes as large-scale breaches and cyberattacks on healthcare systems have significantly increased.

Read more at source.

Updating HIPAA Security Rule

The proposal is an update to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. A 60-day public comment period is expected to open soon. The HHS has also shared a fact sheet outlining the proposal. The plan is estimated to cost $9 billion in the first year and $6 billion over the subsequent four years.

Rise in Cyberattacks on Healthcare

The proposal comes in light of a marked increase in large-scale breaches over the past few years. Just this year, the healthcare industry was hit by multiple major cyberattacks, including hacks into Ascension and UnitedHealth systems that caused disruptions at hospitals, doctors offices and pharmacies. From 2018-2023, reports of large breaches increased by 102 percent, and the number of individuals affected by such breaches increased by 1002 percent, primarily due to increases in hacking and ransomware attacks.