A set of new requirements proposed by the US Department of Health and Human Services (HHS) Office of Civil Rights would bring healthcare organizations up to speed with modern cybersecurity practices. The proposal, submitted to the Federal Register on Friday, includes requirements for multi-factor authentication, data encryption and routine scanning for vulnerabilities and breaches. It also makes the use of anti-malware protection mandatory for systems that handle sensitive information, as well as network isolation, implementation of separate controls for data backup and recovery, and annual audits for compliance.
HHS also shared a fact sheet outlining the proposal, which would revise the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A 60-day public comment period is expected to open soon. In a press conference, US deputy national security adviser for cyber and emerging technologies Anne Neuberger said the program will cost $9 billion in the first year, and $6 billion over the next four years. Reuters reports. The proposal comes in the wake of a significant increase in major violations over the past few years. This year alone, the healthcare industry has been hit by several major cyberattacks, including the hacking of the Ascension and UnitedHealth systems that disrupted hospitals, doctors’ offices and pharmacies.
“From 2018-2023, reports of major breaches increased by 102 percent, and the number of people affected by such breaches increased by 1002 percent, largely due to the increase in hacking and ransomware attacks,” according to the Office of Human Rights. “By 2023, more than 167 million people will be affected by major breaches – a new record.”
Source link
