The U.S. Department of Health and Human Services (HHS) has proposed the first update to the HIPAA Security Rule since 2013, aiming to strengthen healthcare cybersecurity. The proposal, which spans 125 pages in the Federal Register, outlines a series of new security requirements that would apply to healthcare providers, health plans, and other entities handling sensitive patient data. These measures come after a surge in healthcare data breaches and ransomware attacks, which have prompted a strong call for enhanced protection. While the updates could cost over $30 billion in the first five years, they are seen as necessary to address the increasing sophistication of cyberattacks in the healthcare sector.
The proposed rule includes several key provisions to improve cybersecurity, including the mandatory use of multi-factor authentication (MFA), encryption of electronic protected health information (ePHI), and network segmentation. These measures are aimed at ensuring that healthcare systems are better prepared to prevent and respond to cyberattacks. The proposal also calls for regular risk assessments, vulnerability scans, and penetration testing to identify weaknesses in systems and prevent breaches. Additionally, healthcare organizations would be required to implement controls to protect ePHI both at rest and in transit, ensuring that sensitive data is better protected during storage and transmission.
The updated HIPAA Security Rule also includes new requirements for asset inventory and network mapping, which will help organizations track the movement of ePHI across systems. Healthcare providers would need to create and maintain incident response plans to address cyberattacks promptly, including restoring systems within 72 hours. The proposal emphasizes the importance of audits, security measures, and testing to ensure ongoing compliance. This approach is expected to improve the resilience of healthcare systems and reduce the risk of cyberattacks compromising patient safety and trust.
The public comment period for the proposed rule is open for 60 days, after which HHS will review feedback before finalizing the rule. The updates are based on widely accepted cybersecurity practices and are seen as vital to safeguarding patient data against the growing threats in the healthcare sector. With healthcare breaches costing more than in other sectors, the proposed rule is expected to save organizations money in the long run by preventing costly data breaches and enhancing patient privacy. The updates are part of a broader push to improve cybersecurity in the healthcare industry, with bipartisan support for stronger security measures.
