Healthcare organizations in the US may soon get a cybersecurity overhaul

A set of new requirements proposed by the US Department of Health and Human Services’ (HHS) Office for Civil Rights could bring healthcare organizations up to par with modern cybersecurity practices. The proposal, posted to the Federal Register on Friday, includes requirements for multifactor authentication, data encryption and routine scans for vulnerabilities and breaches. It would also make the use of anti-malware protection mandatory for systems handling sensitive information, along with network segmentation, the implementation of separate controls for data backup and recovery, and yearly audits to check for compliance.

HHS also shared a fact sheet outlining the proposal, which would update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. A 60-day public comment period is expected to open soon. In a press briefing, US deputy national security advisor for cyber and emerging technology Anne Neuberger said the plan would cost $9 billion in the first year to execute, and $6 billion over the subsequent four years, Reuters reports. The proposal comes in light of a marked increase in large-scale breaches over the past few years. Just this year, the healthcare industry was hit by multiple major cyberattacks, including hacks into Ascension and UnitedHealth systems that caused disruptions at hospitals, doctors’ offices and pharmacies.

“From 2018-2023, reports of large breaches increased by 102 percent, and the number of individuals affected by such breaches increased by 1002 percent, primarily because of increases in hacking and ransomware attacks,” according to the Office for Civil Rights. “In 2023, over 167 million individuals were affected by large breaches — a new record.”