U.S. healthcare organizations may soon be getting a cybersecurity overhaul

A set of new requirements proposed by the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights could bring healthcare organizations up to speed with modern cybersecurity practices. The proposalpublished in the Federal Register on Friday, includes requirements for multi-factor authentication, data encryption and routine scans for vulnerabilities and breaches. It will also make the use of anti-malware protection mandatory for systems handling sensitive information, along with network segmentation, implementation of separate data backup and recovery controls, and annual compliance audits.

HHS also shared a information sheet outlining the proposal that would update the Security Rule of the Health Insurance Portability and Accountability Act of 1996. (HIPAA). A 60-day public comment period is expected to begin soon. At a press briefing, US Deputy National Security Adviser for Cyber ​​and Emerging Technologies Ann Neuberger said the plan would cost $9 billion in the first year of implementation and $6 billion over the next four years. Reuters reports. The proposal comes in light of a significant increase in large-scale violations over the past few years. This year alone, the healthcare industry has been hit by multiple major cyberattacks, including hacks at Ascension and UnitedHealth systems that have disrupted hospitals, doctor’s offices and pharmacies.

“From 2018-2023 reports of major breaches increased by 102 percent, and the number of individuals affected by such breaches increased by 1,002 percent, primarily due to an increase in hacking and ransomware attacks,” according to Office of Civil Rights. “In 2023 over 167 million people have been affected by major breaches — a new record.”