Healthcare providers across the United States may soon face stricter cybersecurity requirements as the Department of Health and Human Services (HHS) unveils proposals aimed at combating ransomware and data breaches in the sector. The measures, proposed by the HHS Office for Civil Rights (OCR), are designed to address a growing wave of cyberattacks targeting sensitive patient data.
The proposed rules, currently open for public comment, would mandate healthcare organizations to implement multi-factor authentication, encrypt patient data, and undergo compliance checks to ensure network security. These measures aim to reduce the risk of breaches and safeguard patient information, which has increasingly been targeted by hackers.
However, these changes come with a hefty price tag. Anne Neuberger, the US deputy national security advisor for cyber and emerging technology, told reporters the new rules could cost $9 billion in the first year alone, with ongoing costs estimated at $6 billion annually for the next two years, Reuters reports.
Neuberger also highlighted the urgency of these changes, citing alarming trends. Ransomware incidents and large-scale breaches in the healthcare industry have risen sharply, with breaches from hacking and ransomware increasing by 89% and 102%, respectively, since 2019. Beyond operational disruptions, the stolen data often appears on the dark web, where it can be used to blackmail individuals.
High-Profile Cyberattacks Fuel Changes
Recent high-profile breaches underline the stakes. In February 2024, a ransomware attack on Change Healthcare, a subsidiary of UnitedHealth, exposed the personal data of over 100 million people. The attack disrupted pharmacy services and billing operations, revealing vulnerabilities in systems that lacked multi-factor authentication. Andrew Witty, CEO of Change Healthcare, acknowledged that hackers exploited compromised credentials to access the company’s Citrix portal, which would require enhanced security measures under the proposed rules.
Another breach in May 2024 saw healthcare provider Ascension’s IT systems crippled by a cyberattack, forcing some hospitals to revert to pen-and-paper recordkeeping. These incidents have highlighted the cascading effects of poor cybersecurity on both healthcare delivery and patient trust.
The HHS proposals will remain open for a 60-day public comment period, allowing healthcare firms and other stakeholders to weigh in on the requirements. As the industry grapples with the financial and logistical implications, the proposals underscore a critical need to balance cost with the pressing need for improved cybersecurity.
