The HHS Office for Civil Rights proposed updates to the HIPAA Security Rule, marking the first major revision since 2013, to address the growing threat of cyberattacks in healthcare. These updates aim to strengthen cybersecurity measures for health plans, providers, and their business associates.
What happened
On December 27, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) proposed updates to the HIPAA Security Rule to improve cybersecurity protections in the U.S. healthcare system. It marked the first revision of the Security Rule since 2013. The updates aim to address the increasing frequency and sophistication of cyberattacks which have jeopardized patient safety.
The proposed rule would require covered entities and their business associates to implement written, regularly reviewed, and tested policies to secure electronic protected health information (ePHI). These measures align the Security Rule with modern cybersecurity best practices and address observed compliance deficiencies and relevant court decisions.
By the numbers
- From 2018 to 2023, reports of large breaches increased by 102%.
- The number of individuals affected by large breaches rose by 1002% during the same period.
- In 2023, over 167 million individuals were impacted by large breaches, setting a new record.
- Since 2019, large breaches caused by hacking and ransomware increased by 89%.
- Ransomware-related breaches grew by 102% since 2019.
What was said
OCR Director Melanie Fontes Rainer notes, “This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats. It would require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity, and help ensure that doctors, health plans, and others providing health care meet their obligations to protect the security of individuals’ protected health information across the nation.”
Deputy Secretary Andrea Palm stated, “These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures. This proposed rule is a vital step to ensuring that health care providers, patients, and communities are not only better prepared to face a cyberattack, but are also more secure and resilient.”
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
What are internal threats to cybersecurity?
Threats like careless or negligent workers, malicious insiders, and disgruntled employees.
What are the HHS Healthcare and Public Health cybersecurity performance goals?
- Implementing risk management strategies
- Incident response capabilities
- A culture of cybersecurity awareness
- Ensuring systems are regularly updated and patched
What is the significance of cyberattacks to healthcare organizations?
The healthcare sector is increasingly targeted by cybercriminals because it holds valuable data such as PHI and financial records. When exposed this data is used for fraudulent purposes or used in ransomware efforts.
Kirsten Peremore
