The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has proposed improving cybersecurity measures within healthcare organisations. This initiative is designed to safeguard patients’ sensitive information from the rising threat of cyberattacks. According to Reuters, the proposal follows significant breaches, including one earlier this year that exposed the private data of over 100 million UnitedHealth patients.
Protecting patient data from cyberattacks
The new rules call for several key measures to prevent breaches and mitigate the damage caused by cyberattacks. Under the proposal, healthcare providers and related organisations would be required to:
- Implement multifactor authentication (MFA) to secure access to systems.
- Segment their networks to prevent the spread of intrusions across systems.
- Encrypt patient data to ensure that even stolen information remains inaccessible.
In addition, the rules mandate specific risk analysis practices, maintaining compliance documentation, and adhering to other cybersecurity protocols.
These measures form part of a larger cybersecurity strategy unveiled by the Biden administration last year. The regulations would amend the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) if approved. This rule, which governs entities such as doctors, nursing homes, and insurance companies, was last updated in 2013.
Significant costs but long-term benefits
While the proposed changes aim to enhance security, they come with a hefty price tag. According to Anne Neuberger, the US deputy national security advisor, the first year of implementation is estimated to cost US$9 billion, followed by US$6 billion annually for the next four years. These costs cover system upgrades, staff training, and adopting new technologies.
Healthcare providers must weigh these expenses against the potential benefits of reduced data breaches and increased patient trust. The updated framework is designed to minimise risks in an industry increasingly targeted by cybercriminals.
Public input and timeline for implementation
The OCR plans to publish the proposal in the Federal Register on January 6. This will initiate a 60-day public comment period, allowing stakeholders and members of the public to provide feedback. After the comment period ends, the final rule will be set, potentially leading to a significant shift in how healthcare organisations handle cybersecurity.
As cyberattacks become more sophisticated, the US government’s focus on strengthening protections for patient data highlights the growing need for vigilance and innovation in cybersecurity. The proposed measures, if adopted, could set a new standard for safeguarding sensitive information in the healthcare sector.
