A series of new requirements proposed by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights could bring healthcare organizations into line with modern cybersecurity practices. offerpublished in the Federal Register on Friday, includes requirements for multi-factor authentication, data encryption and regular scanning for vulnerabilities and breaches. It will also make the use of anti-malware protection mandatory for systems handling sensitive information, along with network segmentation, the implementation of separate controls for data backup and recovery, and annual audits to verify compliance.
HHS also shared newsletter outlining a proposal that would update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rules. A 60-day public comment period is expected to open soon. At a briefing, US Deputy National Security Adviser for Cybersecurity and Emerging Technologies Anne Neuberger said the plan would cost $9 billion in the first year and $6 billion over the next four years. Reuters reports. This proposal follows a marked increase in large-scale violations over the past few years. This year alone, the healthcare industry has been hit by multiple major cyberattacks, including hacks of Ascension and UnitedHealth that disrupted hospitals, doctor's offices and pharmacies.
“Between 2018 and 2023, the number of major breaches reported increased by 102 percent and the number of individuals affected by such breaches increased by 1,002 percent, primarily due to an increase in hacking and ransomware attacks.” , the message says. Office for Civil Rights. “More than 167 million people were affected by major breaches in 2023, a new record.”