A set of new requirements proposed by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights could bring healthcare organizations up to speed with modern cybersecurity practices. THE proposalpublished Friday in the Federal Register, includes requirements for multi-factor authentication, data encryption and routine scans for vulnerabilities and breaches. It would also mandate the use of anti-malware protection for systems handling sensitive information, as well as network segmentation, implementation of separate controls for data backup and recovery, and annual audits to verify compliance.
HHS also shared a information sheet describing the proposal, which would update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. A 60-day public comment period is expected to open soon. At a press briefing, Anne Neuberger, U.S. deputy national security adviser for cybersecurity and emerging technologies, said implementing the plan would cost $9 billion in the first year, and $6 billion dollars over the next four years. Reuters reports. This proposal follows a marked increase in large-scale violations in recent years. The healthcare industry was hit by several major cyberattacks again this year, including hacks of Ascension and UnitedHealth systems that caused disruptions to hospitals, doctors’ offices and pharmacies.
“Between 2018 and 2023, reports of significant breaches increased by 102 percent, and the number of people affected by such breaches increased by 1,002 percent, primarily due to the increase in hacking and ransomware attacks ”, according to the report. Civil Rights Office. “In 2023, more than 167 million people were affected by major violations – a new record. »
