A set of new cybersecurity requirements proposed by the US Department of Health and Human Services’ (HHS) Office for Civil Rights aims to enhance the security posture of healthcare organizations by aligning them with contemporary cybersecurity practices. This comprehensive proposal, recently published in the Federal Register, introduces critical measures such as multifactor authentication, robust data encryption, and routine vulnerability assessments to detect any breaches. Additionally, it mandates the implementation of anti-malware protection for systems that handle sensitive health information. Other essential components include network segmentation, distinct controls for data backup and recovery, and annual compliance audits to ensure adherence to these new regulations.

Moreover, HHS has released a detailed fact sheet explaining the scope of this proposal, which seeks to update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. A public comment period lasting 60 days is anticipated to commence soon, providing stakeholders an opportunity to voice their opinions. In a recent press briefing, Anne Neuberger, the US deputy national security advisor for cyber and emerging technology, indicated that implementing this plan will incur an estimated cost of $9 billion in the first year, followed by $6 billion over the next four years, as reported by Reuters. This initiative is particularly timely given the alarming surge in large-scale cyber breaches noted in recent years, with the healthcare sector experiencing significant disruptions due to cyberattacks on entities like Ascension and UnitedHealth.

The Office for Civil Rights highlighted a staggering increase in reported large breaches from 2018 to 2023, with a 102 percent rise in incidents and a shocking 1002 percent increase in the number of affected individuals, primarily driven by heightened hacking and ransomware threats. In 2023 alone, over 167 million individuals fell victim to such breaches—a record high that underscores the urgent need for enhanced security measures in the healthcare domain.