The U.S. Department of Health and Human Services (HHS) has proposed significant changes to existing standards governing how health information is stored and protected within the community.
Scheduled to be published in the Federal Register on January 6, the changes set by HHS will impact the Health Insurance Portability and Accountability Act (HIPAA) “security rules.”
HHS said this security rule is one of several HIPAA regulations that protect the privacy and security of individuals' protected health information (PHI). PHI refers to personally identifiable health information maintained electronically (ePHI) or otherwise.
The proposed amendments, the first major update to HIPAA's security rules in more than a decade, include new measures to help healthcare organizations implement security controls such as multi-factor authentication (MFA), network segmentation, and strict encryption of health data. Contains requirements. .
Healthcare organizations are also required to inventory their technology assets and provide information detailing how ePHI is moved and stored within their networks.
Deputy National Security Advisor for Cyber and Emerging Technologies Ann Neuberger discussed the upcoming changes at a White House press briefing on December 27 and outlined the expected costs of implementing these measures. said.
He said the security rule fixes are expected to cost about $9 billion in the first year of implementation, and an additional $6 billion over the next two to five years.
Rising U.S. medical breaches call for action
Neuberger cited the fact that two of the most serious cyberattacks ever on U.S. healthcare organizations occurred within the past year, and explained that the implementation costs are miniscule compared to the costs of a breach. did.
For example, the attack on Change Healthcare in February 2024 was one of the largest data breaches ever recorded in the United States, with the PHI of over 100 million individuals compromised by the ALPHV/BlackCat group. It was done.
This threat group was able to steal health insurance information, medical data, and other PII such as social security numbers, driver's license, and passport numbers.
UnitedHealth Group, Change Healthcare's parent company, admitted that it paid the group a $22 million ransom to recover stolen data.
“In 2023, the average cost of a breach in healthcare was $10.1 million. The two largest healthcare breaches we have ever experienced, Ascension Health and Change Healthcare, both occurred in the last year. Change Healthcare noted that the cost of the breach was $800 million in recovery costs and costs, frankly, to the health care data of Americans and the operations of the hospitals affected by that data.”
HHS noted that since its publication in 2003 and its revision in 2013, there have been many “major changes in the environment in which health care is delivered and the way the health care industry operates” and that cybersecurity “is a concern for everyone.” he added. Aspects of Modern Medical Care”.
As a result, there has been an alarming increase in serious breaches impacting the health information of U.S. citizens, and the “epidemic of cyber-attacks using hacking and ransomware” has prompted updates to current security standards governing this data. necessary, the report said.
“The Department is concerned about the increasing number of breaches and other cybersecurity incidents experienced by regulated entities. We are also concerned that the number of individuals affected by such incidents is trending upward. We are also increasingly concerned about the extent of the crisis and the potential harm caused by such incidents.”
Regulated entities will be required to comply within 60 days of publication of the revised security rules under HIPAA, which is expected to be January 6, 2024.
