The US Department of Health and Human Services (HHS) has unveiled a new proposal to update cybersecurity requirements for healthcare institutions under the Health Insurance Portability and Accountability Act (HIPAA). The proposed changes aim to enhance the protection of electronic protected health information (ePHI) and address the growing frequency and severity of cyberattacks in the sector.
The proposed rulemaking seeks to revise the HIPAA Security Standards to align with current cybersecurity threats and challenges. According to HHS, there has been a significant rise in reported breaches involving the health data of 500 or more individuals. These incidents, often involving ransomware and sophisticated hacking campaigns, have affected millions of patients and disrupted critical healthcare services.
Proposed revisions target rising breach incidents
The proposed updates include mandatory data encryption, multifactor authentication and network segmentation. These steps are designed to ensure that ePHI remains secure even if unauthorised access occurs. The revisions also aim to address common compliance deficiencies observed by the HHS Office for Civil Rights (OCR) during investigations and incorporate guidance from court rulings and industry best practices.
Recent high-profile cyberattacks have underscored the urgency of these changes. In May, a ransomware incident at Ascension, one of the largest private healthcare systems in the US, exposed the personal and medical data of nearly 5.6 million people. The attack forced the healthcare provider to disable devices, divert emergency medical services and resort to the manual tracking of patient records.
This incident is part of a broader trend of attacks that have crippled healthcare providers, highlighting vulnerabilities in the existing infrastructure. According to Anne Neuberger, Deputy National Security Adviser for Cyber and Emerging Technologies at the White House, the scale and impact of these breaches necessitate stronger protections.
The HIPAA proposal for cybersecurity enhancements comes with a substantial financial cost. Neuberger estimated that implementing these measures would require $9bn in the first year alone, with an additional $6bn over the subsequent four years. Despite the expense, the administration views these updates as critical to safeguarding sensitive health information and maintaining public trust in the healthcare system. Beyond financial considerations, the updates are expected to impose stricter compliance requirements on healthcare organisations and their business associates. This includes periodic checks to ensure adherence to cybersecurity protocols and the adoption of measures that minimise the risk of data leaks.
The HHS has issued a Notice of Proposed Rulemaking (NPRM) to gather feedback from stakeholders on the proposed updates. Public comments will be reviewed before the final rule is issued — likely within 60 days — to ensure that the measures are practical and effective in addressing the dynamic nature of cyber threats.
Read more: 1.4m people potentially affected by Texas Tech University Health Sciences Centre breach
