listen to article
This voice is automatically generated. Please let us know if you have any feedback.
Diving overview:
Regulators announced late last month that HHS wants to update the HIPAA security rules for the first time in more than a decade to strengthen healthcare cybersecurity. The Office of Civil Rights, which enforces HIPAA, has proposed changes to the regulations aimed at providing clarity and more specific guidance on the protection of electronic health data. This update also requires organizations and their business partners to keep written security policies and regularly review, test, and update them. The proposal comes as the healthcare sector weathers a growing wave of cyber-attacks and data breaches. From 2018 to 2023, OCR tracked a more than 100% increase in large-scale breaches, while the number of people affected by healthcare data breaches jumped more than 1000%.
Dive Insight:
Cybersecurity has become a critical component of health care delivery, and nearly every component of the system, from scheduling appointments to ordering prescriptions, relies on connected technology, regulators wrote in the proposed rule.
However, as the industry rapidly introduces new devices and tools, organizations become more vulnerable to cyberattacks, making the industry an attractive target for cybercriminals.
Since 2019, there has been an explosion in large-scale data breaches due to hacking and ransomware (a type of malware that denies users access to their data until a ransom is paid), according to OCR.
“Cyberattacks continue to impact the healthcare sector, with the number of large-scale breaches reported to OCR increasing significantly each year due to the prevalence of ransomware and hacking,” OCR Director Melanie Fontes Reiner said in a statement. ” “The number of people affected grows exponentially every year, and that number is expected to increase even further this year due to the Change Healthcare breach, the largest healthcare system breach in U.S. history.”
Many healthcare organizations are not investing adequately in cybersecurity, and some HIPAA-covered organizations are not consistently complying with the security rule's requirements, regulators wrote in the rule.
The proposed changes aim to clarify HIPAA requirements and add details to reduce the tide of cyberattacks and breaches.
The proposal would require healthcare organizations to create technology asset inventories and network maps detailing the movement of protected health data within their systems. Organizations should revise their inventories and maps at least once a year or when the company's environment or operations change.
Additionally, this update mandates a more specific risk analysis, including technology inventory and network maps, and a written review of potential threats and vulnerabilities.
The proposal would require covered entities and their businesses to implement multi-factor authentication, a common cybersecurity safeguard that requires users to provide multiple forms of identification in order to gain access, with some exceptions. It is also planned to make it compulsory to use it with the exception of . This requirement was introduced months after the massive Change cyberattack, in which hackers were able to access company systems using compromised credentials when MFA was not enabled.
Organizations should scan their systems for vulnerabilities at least every six months and conduct annual penetration tests, which are simulated cyberattacks used to assess security.
The proposal comes as regulators have expressed interest in strengthening cybersecurity in the healthcare sector. In late 2023, HHS released a cybersecurity strategy that includes plans for HIPAA updates and requirements for hospitals through Medicare and Medicaid.
The agency also announced voluntary cybersecurity goals for the industry early last year.
In preparation for the rise in attacks, some lawmakers are also considering toughening cyber standards. This fall, Sen. Ron Wyden, D-Ore., and Sen. Mark Warner, D-Virginia, will introduce legislation directing HHS to develop minimum requirements in this area and provide funding to help hospitals strengthen their practices. submitted.
