The US Department of Health and Human Services (HHS) has proposed extensive modifications to existing standards governing how healthcare information is stored and protected in the region.
Set to be published in the Federal Register on 6 January, the changes set out by the HHS would impact the ‘security rule’ of the Health Insurance Portability and Accountability Act (HIPAA).
The HHS said the security rule is one of several HIPAA rules that protect the privacy and security of an individual's protected health information (PHI), which refers to individually identifiable health information that is maintained electronically (ePHI) or otherwise.
The proposed modifications, which would mark the first major update to the HIPAA’s security rule in over 10 years, include new requirements for healthcare organizations to implement security controls such as multi-factor authentication (MFA), network segmentation, and rigorous encryption of healthcare data.
Healthcare organizations will also be required to build an inventory of their technology assets and provide information detailing how ePHI is moved and stored within their networks.
Anne Neuberger, deputy national security advisor for cyber and emerging technology, discussed the upcoming changes at a White House press briefing on 27 December, and outlined the projected costs of implementing these measures.
She said the modifications to the security rule are projected to cost roughly $9 billion during the first year of implementation, and then a further $6 billion for years two-to-five.
Growth in US healthcare breaches prompts action
Neuberger explained that the implementation costs pale in comparison to those incurred by breaches, citing the fact two of the most serious cyber attacks on healthcare organizations in the US ever took place within the last year.
The attack on Change Healthcare, for example, which occurred in February 2024, was one of the largest data breaches ever recorded in the US, which saw the PHI of over 100 million individuals compromised by the ALPHV/BlackCat group.
The threat group was able to steal health insurance information, medical data, as well as other PII including Social Security numbers, driver’s licenses, and passport numbers.
UnitedHealth Group, the parent company of Change Healthcare, admitted to having paid the group a $22 million ransom in order to retrieve the stolen data.
“In 2023, the average cost of a breach in healthcare was $10.1 million. The two biggest healthcare breaches we have ever experienced, Ascension Health and Change Healthcare, both occurred in the last year, and you may have noted Change Healthcare noted that the cost of the breach will be approaching $800 million in the cost of recovery and the cost of operations, and, frankly, in the cost to Americans’ healthcare data and the operations of hospitals affected by it.”
The HHS noted that since its publication in 2003, and revision in 2013, there have been a number of “significant changes to the environment in which healthcare is provided and how the health care industry operates”, adding that cybersecurity is a concern for “every facet of modern health care”.
As a result, it said an alarming growth in serious breaches affecting US citizens’ healthcare information and a “rampant escalation of cyberattacks using hacking and ransomware” required an update to the current security standards governing this data.
“The Department is concerned by the increasing numbers of breaches and other cybersecurity incidents experienced by regulated entities. We are also increasingly concerned by the upward trend in the numbers of individuals affected by such incidents and the magnitude of the potential harms from such incidents.”
Regulated entities will be required to comply with the modified security rule under the HIPAA within 60 days after publication, expected to be 6 January 2024.
