The White House is set to propose new cybersecurity rules aimed at strengthening the protection of user data in healthcare institutions under the Health Insurance Portability and Accountability Act (HIPAA), as revealed by a White House official.
Anne Neuberger, deputy national security adviser for cyber and emerging technology, emphasized the need for an update to the security rule under HIPAA which was last revised in 2013. This update, the first in over a decade, will enforce measures such as data encryption to prevent leaks in case of cyberattacks, ultimately safeguarding individuals’ sensitive healthcare information.
The Department of Health and Human Services (HHS) is expected to release a draft of the updated rules in the Federal Register for public input. Neuberger highlighted that healthcare entities will be required to enhance their cybersecurity posture by monitoring networks for threats and conducting compliance checks to ensure adherence to the new HIPAA regulations.
In terms of financial impact, Neuberger estimated that the implementation cost of the proposed rule for the healthcare industry would amount to approximately $9 billion in the first year and $6 billion annually for the subsequent four years. She underscored the significant consequences of inaction, citing the potential risks to critical infrastructure, patient safety, and the broader negative implications that could arise.
HIPAA, established in 1996, governs the sharing of healthcare data among hospitals, insurers, and patients. Neuberger emphasized that the forthcoming rules aim to provide additional clarity and specificity on cybersecurity within the framework of HIPAA, aligning with the evolving threat landscape faced by healthcare organizations.
The decision to introduce these new cybersecurity measures stems from a concerning trend of healthcare data breaches over the past few years, culminating in two major incidents in 2024 involving ransomware attacks on Change Healthcare and the Ascension hospital network. Neuberger highlighted the escalating financial toll of such breaches, with organizations like Ascension and Change Healthcare facing potentially catastrophic losses.
The mounting risks associated with hacking and ransomware incidents in the healthcare sector have prompted urgent action from the White House. Neuberger expressed deep concern over the increasing frequency of large-scale breaches impacting critical healthcare systems, underscoring the gravity of the situation and the urgent need for robust cybersecurity measures.
Moreover, the White House’s proactive stance on cybersecurity in the healthcare sector has garnered support from members of Congress who are alarmed by the persistent threats posed by ransomware attacks and the wide-reaching impacts of breaches such as the one experienced by Change Healthcare, affecting millions of individuals.
In response to the pressing need for enhanced cybersecurity practices, HHS previously introduced cybersecurity rules for healthcare institutions participating in the Medicare and Medicaid programs. These efforts aim to establish baseline standards for cybersecurity and potentially tie federal payments to compliance with these standards.
As the healthcare industry grapples with mounting cybersecurity challenges, the forthcoming updates to HIPAA regulations represent a crucial step towards bolstering the resilience of healthcare systems against evolving threats. The guidance provided by HHS underscores the critical importance of proactive cybersecurity risk assessment and management practices to mitigate the growing risks faced by HIPAA-covered entities.
Overall, the proposed cybersecurity rules under HIPAA mark a significant milestone in fortifying the protection of healthcare data and are poised to play a vital role in safeguarding the integrity and confidentiality of sensitive patient information in an increasingly digital and interconnected healthcare landscape.