Healthcare providers could soon be next new cyber security rules. The U.S. Department of Health and Human Services (HHS) is proposing updates to the HIPAA Security Rule that would require covered healthcare organizations to strengthen their cybersecurity posture.
The proposed changes come as breaches continue to wreak havoc in the healthcare industry. Medical institution reporting from 2009 to 2023 5,887 data breaches It involves more than 500 records filed with the Office of Civil Rights (OCR), according to HIPAA Journal. A total of 667 healthcare data breaches occurred in 2024.
OCR Director Melanie Fontes Reiner pointed to ransomware attacks. change health care As an example of how these breaches are expanding and impacting more people.
“This proposed rule, which upgrades the HIPAA Security Rule, addresses current and future cybersecurity threats. It reflects advances in technology and cybersecurity and allows physicians, health plans, and others who provide health care to: We need to update our existing cybersecurity safeguards to ensure that we meet our obligations to protect the security of individuals’ protected health information across the country,” Fontes-Reiner said. said in an HHS press release.
proposed rules
According to HHS, the HIPAA Security Rule was published in 2003 and has not been updated since 2013. Covered entities that handle electronic protected health information (ePHI), such as health care providers, health plans, health clearinghouses, and business partners, must follow updates in the proposed rule.
of Unpublished version of the rule Provides an overview of proposed amendments to the Security Regulations. The proposed changes are designed to align with cybersecurity best practices such as multi-factor authentication, ePHI encryption, network segmentation, and vulnerability scanning. Under the proposed rule, covered companies would be required to regularly review, test, and update their cybersecurity policies and procedures, HHS said.
“This rule represents clear obligations for healthcare providers, increased accountability, and an increased emphasis on robust security protocols,” said CEO Sean Hodges. revelation pharmaa national network of compounding pharmacies, told InformationWeek in an email. “Compliance requires an ongoing commitment to quality control, frequent system audits, and advanced data protection measures.”
From proposal to practice
The proposed rules would be as follows: Published in the Federal Register Interested parties can share feedback during a 60-day public comment period. New regulations always come with the potential for backlash.
“One of the things that people object to is that implementing a lot of these changes actually requires resources, costs and people.” Brian Arnold, Director of Legal Affairs, Managed Cybersecurity Platforms huntresshe told InformationWeek.
Resource constraints are a common concern in the healthcare industry, especially for rural healthcare organizations and small healthcare providers.
Ann Neuberger, the U.S. Deputy National Security Advisor for Cyber and Emerging Technologies, estimates that the proposed rule would have the following impact: First year cost $9 billion Reuters reported that it invested $6 billion over the next four years.
“When HIPAA was first introduced more than 20 years ago, we faced similar concerns,” Hodges says. “Ultimately, these regulations exist to serve one purpose: to protect patients and their information. All healthcare stakeholders need to understand that this is not just a regulatory obligation, but a moral imperative. We need to realize that it is an obligation.”
The public comment period spans the incoming Trump administration, raising questions about the future of the proposed rule.
Arnold points out that issues like cybersecurity, data privacy and national security are typically considered more bipartisan than other issues. Meanwhile, the Trump administration has signaled its intention to cut regulations. What this means for HHS and this rule remains to be seen.
“I think this is an opportunity where adjustments may be made, even if this rule is not very publicized and may be adopted.” [that] If it had been proposed under the same administration and adopted later, it might not have typically been available,” Arnold said. “I don’t think these will be the final version of the rules.”
Critical infrastructure under siege
Critical infrastructure remains a target Number of threat actors, including both state-sponsored groups and financially motivated criminal actors. Healthcare is just one area that may be subject to new cybersecurity rules.
“Increased awareness of the overall cybersecurity vulnerabilities of critical infrastructure, combined with an increase in cybersecurity targets, [critical infrastructure] I believe we will see more rule updates like this in the coming year, driven by both cybercriminals and nation-state threat actors like Bolt Typhoon,” said Trey Ford, CISO, U.S. states.bug cloudthe crowdsourcing cybersecurity company said in an email interview.
Although the final version of the proposed changes to HIPAA and the timeline for adoption are uncertain, the threats that the new regulations seek to address remain a reality for the healthcare industry.
“Overall, cybersecurity should be treated as a cornerstone of patient care. Protecting health information is not just an IT job; it is the responsibility of all healthcare professionals,” Hodges says.
