US Department of Health and Human Services (HHS) has proposed sweeping changes to existing standards governing the storage and protection of health information in the region.
Ready for publication in Federal Register January 6, changes established by HHS will affect “safety rules” Health Insurance Portability and Accountability Act (HIPAA).
HHS stated that safety rule is one of several HIPAA rules that protect the privacy and security of an individual’s protected health information (PHI), which refers to individually identifiable health information that is stored electronically (ePHI) or otherwise.
The proposed changes, which would be the first major update to HIPAA security rules in more than 10 years, include new requirements for healthcare organizations to implement security measures such as multi-factor authentication (MFA), network segmentation and strong encryption of medical data.
Medical organizations They will also need to inventory their technology assets and provide detailed information about how ePHI is moved and stored on their networks.
Anne NeubergerDeputy National Security Advisor for Cybersecurity and Emerging Technologies, discussed upcoming changes in the White House press briefing on December 27, and outlined the projected costs of implementing these measures.
The safety rule changes are projected to cost about $9 billion in the first year of implementation, then another $6 billion in years two to five, she said.
Rising health care abuses in US prompt action
Neuberger explained that implementation costs pale in comparison to the costs associated with breaches, citing the fact that the two most serious cyber crimes attacks on healthcare organizations in the United States have ever occurred within the past year.
attack on Change Healthcarefor example, the one that occurred in February 2024 was one of the largest data breaches ever reported in the US, resulting in over 100 million people’s PHI being compromised ALPHV/BlackCat Group.
The threat group was able to steal health insurance informationmedical data, as well as other personal data, including Social Security Numbersdriver’s license and passport numbers.
United Health Groupparent company Change Healthcare, admitted that paid the group a ransom of $22 million. in order to return stolen data.
“In 2023 average cost of violation in healthcare was $10.1 million. The two largest healthcare breaches we have ever seen were Ascension Health and Change Healthcare, both happened in the last year, and you may have noticed that Change Healthcare noted that the cost of the breach would be close to $800 million in recovery costs and operational costs, and frankly, in cost to Americans. “Data on healthcare and hospital operations affected.”
HHS noted that since its publication in 2003 and revision in 2013, there have been a number of “significant changes in the environment in which health care is provided and in the way the health care industry operates,” adding that cybersecurity is an issue for “every person.” . the edge of modern healthcare.”
As a result it was said alarming increase in serious violations the impact on U.S. citizens’ health information and the “unrestrained escalation of cyberattacks using hacking and ransomware” have necessitated an update to the current security standards governing this data.
“The Department is concerned about the increasing number of breaches and other cybersecurity incidents facing regulated entities. We are also increasingly concerned about the increasing trend in the number of people affected by such incidents and the scale of potential harm from such incidents.”
Regulated entities will be required to comply with the amended HIPAA security rule for 60 days after publication, which is expected to be January 6, 2024.