- US healthcare companies may soon introduce new cybersecurity requirements
- New rules aim to protect systems holding sensitive information
- Expected to cost $9 billion in first year
The U.S. Department of Health and Human Services (HHS) has imposed a new set of requirements on the country’s health care companies to ensure that patients’ personally identifiable information and company data are adequately protected. The proposal includes routine vulnerability and breach scanning, data encryption and multi-factor authentication.
The new requirements also mandate the use of anti-malware protection for systems handling sensitive information, as well as network segmentation, separate controls for data backup and recovery, and annual audits to check for compliance.
Medical institutions have Increasingly targeted by threat actors The large amounts of sensitive data they hold and the critical services they provide mean these organizations are often forced to pay large ransoms for their systems and information in order to continue operating.
Cost of updating standards
Implementing the requirements will cost $9 billion in the first year and $6 billion over the next two years, according to Anne Neuberger, deputy national security adviser for cyber and emerging technologies.
Despite the high cost, Neuberger noted that these requirements add necessary protection given that the number of large-scale security breaches and ransomware affecting healthcare organizations has surged 102% since 2019.
Healthcare data repeatedly sold on dark web, attack on UnitedHealth Group leads to More than 100 million U.S. customers affected – This is disruptive to both patients and staff.
“One of the most concerning and really troubling things we deal with in this job is hacks of hospitals, hacks of medical data,” Newberg said.
“Hospitals are forced to operate manually, and Americans’ sensitive medical data, mental health information and other information are being leaked on the dark web, with the opportunity to extort individuals.”
through Reuters