Healthcare organizations may soon face stricter cybersecurity requirements to safeguard sensitive patient data, following significant breaches involving Ascension and UnitedHealth. Anne Neuberger, U.S. Deputy National Security Advisor for Cyber and Emerging Technology, emphasized the urgency of these measures on Friday, citing the exposure of healthcare information for over 167 million Americans in 2023.
Proposals include encrypting data to render it inaccessible even if leaked, and enforcing compliance checks to ensure adherence to cybersecurity standards. The rules, posted to the Federal Register, aim to strengthen protections under the Health Insurance Portability and Accountability Act (HIPAA). The Department of Health and Human Services (HHS) also released a condensed summary online.
The proposed changes, spearheaded by the Office for Civil Rights (OCR) within HHS, carry an estimated cost of $9 billion in the first year and $6 billion annually for the next four years. A 60-day public comment period will follow before final decisions are made.
Large healthcare breaches from hacking and ransomware attacks have surged by 89% and 102%, respectively, since 2019, Neuberger noted. Such incidents have disrupted hospital operations, forcing manual workflows, and exposed sensitive data—mental health and medical records—on the dark web, enabling blackmail opportunities.
Neuberger described the hacking of hospitals and healthcare data as one of the most troubling challenges in her role. She stressed the importance of enhanced measures to protect patients’ information and prevent further exploitation. “These proposals, if finalized, can significantly bolster cybersecurity and safeguard Americans’ health information,” an OCR spokesperson added.
Also read: American Airlines Resumes Flights After Technical Glitch Disrupts Christmas Eve Travel
