With more than 167 million individuals affected by healthcare data breaches in 2023 alone, the Department of Health and Human Services (HHS) is taking action to address increasing cyberattacks on healthcare systems. On Friday, it announced a proposed rule aimed at enhancing the HIPAA Security Rule, compelling healthcare entities to bolster protections for electronic protected health information (ePHI).
The big picture: Cyberattacks, especially ransomware and hacking, have escalated dramatically in the healthcare sector, jeopardizing patient safety, disrupting care, and undermining trust. HHS Deputy Secretary Andrea Palm emphasized that these threats are not just technical concerns — they are critical public health risks.
Key updates proposed:
- Mandatory Safeguards: All HIPAA Security Rule implementation specifications would be required, eliminating the “addressable” category.
- Enhanced Risk Analysis:
- A written assessment addressing threats, vulnerabilities, and risk levels.
- Annual updates to technology asset inventories and network maps.
- Incident Response:
- Plans to restore electronic systems within 72 hours post-incident.
- Workforce training on reporting and responding to security breaches.
- Stronger Technical Controls:
- Mandatory multi-factor authentication and encryption of ePHI.
- Biannual vulnerability scans and annual penetration testing.
- Audit and Compliance:
- Annual compliance audits for covered entities and business associates.
- Written certification of technical safeguards by business associates.
Between the lines: This proposed rule reflects the federal government’s heightened focus on cybersecurity, aligning with initiatives like the National Cybersecurity Strategy. It also responds to the explosive growth in data breaches — up 1002% in the last five years — highlighting systemic vulnerabilities in healthcare IT.
What’s next: Public comments on the proposed rule will be accepted for 60 days after it is published in the Federal Register.