Photo by Ed Hardie on Unsplash
The US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has proposed new cybersecurity requirements aimed at protecting patients’ private data in the event of cyberattacks. These rules come on the heels of major cyberattacks, including one that leaked the private information of more than 100 million UnitedHealth patients earlier this year.
The OCR’s proposal includes a range of measures aimed at strengthening the cybersecurity of healthcare organizations. This is part of the Biden administration’s broader cybersecurity strategy, which was announced last year and aims to improve the resilience of the US healthcare system in the face of growing cyber threats.
New Cybersecurity Requirements for Healthcare Organizations
The proposed rules would update the Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which regulates doctors, nursing homes, health insurance companies, and more. The last update to HIPAA was in 2013, and this new proposal aims to bring the law up to date with modern cybersecurity best practices.
Key Components of the Proposed Rule
- Mandatory multifactor authentication for most situations, reducing the risk of unauthorized access to patient data.
- Segmentation of networks to reduce the risks of intrusions spreading from one system to another.
- Encryption of patient data so that even if it’s stolen, it can’t be accessed.
- Directing regulated groups to undertake certain risk analysis practices and keep compliance documentation.
The rule also includes requirements for healthcare organizations to implement cybersecurity measures, such as regular software updates and employee training. This is aimed at reducing the risk of cyberattacks and improving the overall security posture of healthcare providers.
Costs and Timeline
The cost of implementing these requirements has been estimated at $9 billion in the first year, with a further $6 billion in years two through five. The proposal is due to be published in the Federal Register on January 6th, kicking off a 60-day public comment period before the final rule is set.
- Estimated cost of implementation: $9 billion (year one), $6 billion (years two-five)
Insights and Analysis
The proposed rules represent a significant step forward in strengthening the cybersecurity of healthcare organizations. The requirement for multifactor authentication, network segmentation, and encryption are all key measures that can help reduce the risk of cyberattacks.
- Multifactor authentication reduces the risk of unauthorized access to patient data.
- Network segmentation reduces the risks of intrusions spreading from one system to another.
- Encryption ensures that even if patient data is stolen, it can’t be accessed.
The cost of implementation may seem significant, but the long-term benefits of strengthening cybersecurity far outweigh the costs. In fact, a study by the Ponemon Institute found that every dollar invested in cybersecurity returns an average of $4 in savings from reduced costs associated with data breaches.
Photo by Shubham Dhage on Unsplash
Conclusion
The proposed rules represent a significant step forward in strengthening the cybersecurity of healthcare organizations. The requirement for multifactor authentication, network segmentation, and encryption are all key measures that can help reduce the risk of cyberattacks.
While there may be costs associated with implementing these requirements, the long-term benefits far outweigh them. By strengthening cybersecurity, healthcare organizations can improve patient care, reduce costs, and increase trust in the healthcare system.
Leave a Reply