Healthcare organizations across America could face costs of $9 billion this 12 months recent federal computer security rules proposed by the US Department of Health and Human Services (HHS). The changes aim to address an alarming increase in healthcare data breaches over the past 12 months.
“We see hospitals being forced to operate manually. We see sensitive US health care data, sensitive mental health data, sensitive procedures being leaked onto the dark web with the potential to blackmail individuals,” he added. said Anna NeubergerUS Deputy National Security Advisor for Cybersecurity and New Technologies.
Modernizing HIPAA to address growing cybersecurity threats
HHS wants to update decades-old privacy regulations Health Insurance Portability and Accountability Act (HIPAA). Hospitals and medical offices are to encrypt patient data, use multi-factor authentication when accessing computers and repeatedly check whether their security measures are working properly.
The proposed requirements represent the primary major update to the HIPAA security regulations in over a decade. The security rule was last modified in 2013, after being published in 2003. Neuberger said the brand new rules would make clear cybersecurity issues under HIPAA.
Healthcare providers are expected to spend $9 billion in the primary 12 months on initial implementation. Then, in the next years, they need to invest $6 billion a 12 months to maintain improved security systems.
Smaller healthcare providers that already struggle to comply with existing regulations are concerned about these costs. But supporters say stopping breaches saves money in the long term. In 2023, a single healthcare data breach cost firms a median of $10.1 million.
“The costs of inaction are not only high, but they also threaten critical infrastructure and patient safety, among other harmful consequences,” Neuberger explained.
Alarming costs of inaction
The surge in healthcare data breaches affected greater than 167 million people in 2023 alone. Major incidents, comparable to the February attack on UnitedHealth’s Change Healthcare, disrupted healthcare services across the country as doctors were unable to fill prescriptions or bill insurers.
“These attacks endanger patients by exposing gaps in our health care system, undermining patient trust, disrupting patient care, distracting patients, and delaying medical procedures,” explained HHS Deputy Secretary Andrea Palm.
Change Healthcare’s experience showed officials the necessity for more stringent rules. The company’s systems lacked basic security features comparable to multi-factor authentication when hackers compromised them. This exposed the knowledge of over 100 million patients and resulted in an estimated lack of $850 million.
The society has 60 days (until March 2025) to respond to the proposed regulations. This gives interested parties the chance to express their views. Healthcare organizations would then have six months to comply with the ultimate requirements once they go into effect.
As the healthcare industry faces increasing cybersecurity challenges, these updates may very well be critical to protecting sensitive patient data in an increasingly digital world.