Healthcare organizations in the US may soon get a cybersecurity overhaul

Healthcare Organizations in the US May Soon Get a Cybersecurity Overhaul

In an effort to improve the cybersecurity of healthcare organizations in the US, the Department of Health and Human Services’ (HHS) Office for Civil Rights has proposed a set of new requirements that could bring these organizations up to par with modern cybersecurity practices. The proposal, which was posted to the Federal Register on Friday, includes several key requirements aimed at protecting sensitive information and preventing cyberattacks.

Key Requirements of the Proposal

The proposed requirements include the use of multifactor authentication, data encryption, and routine scans for vulnerabilities and breaches. In addition, the use of anti-malware protection would be mandatory for systems handling sensitive information, along with network segmentation, the implementation of separate controls for data backup and recovery, and yearly audits to check for compliance.

Cost and Implementation

The proposal is expected to cost $9 billion in the first year to execute, and $6 billion over the subsequent four years, according to US deputy national security advisor for cyber and emerging technology Anne Neuberger. The 60-day public comment period is expected to open soon, and healthcare organizations will have to comply with the new requirements once they are finalized.

Reasons Behind the Proposal

The proposal comes in light of a marked increase in large-scale breaches over the past few years. In 2023, over 167 million individuals were affected by large breaches, which is a new record, according to the Office for Civil Rights. Reports of large breaches increased by 102 percent, and the number of individuals affected by such breaches increased by 1002 percent, primarily due to increases in hacking and ransomware attacks.

The healthcare industry has been hit by multiple major cyberattacks in recent years, including hacks into Ascension and UnitedHealth systems that caused disruptions at hospitals, doctors’ offices, and pharmacies. These breaches have put sensitive patient information at risk, highlighting the need for stronger cybersecurity measures in the healthcare industry.

Impact on Healthcare Organizations

The proposed requirements could have a significant impact on healthcare organizations, which would need to invest in new technologies and processes to comply with the updated HIPAA Security Rule. However, the improved cybersecurity measures could also provide long-term benefits, such as protecting patient data and preventing costly breaches.

Conclusion

The proposed requirements for healthcare organizations aim to bring the industry up to par with modern cybersecurity practices. While the implementation may be costly, the benefits of improved cybersecurity could outweigh the costs in the long run. With the increasing number of cyberattacks, it is essential for healthcare organizations to take measures to protect sensitive patient information and prevent breaches. The proposed requirements could be a step in the right direction towards achieving this goal.