HHS Proposes Rule to Strengthen Cybersecurity in U.S. Healthcare System
On Dec. 27, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued a proposed rule to improve cybersecurity for the U.S healthcare system.
A press release on the announcement said, “The proposed rule would modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to require health plans, health care clearinghouses (an organization that enables the exchange of health care data between a provider and a payer (insurance company)), and most health care providers, and their business associates, to strengthen cybersecurity protections for individuals’ protected health information. This proposed rule is the latest step taken by OCR to address more frequent cyberattacks targeting the U.S. health care system, consistent with the HHS Healthcare and Public Health critical infrastructure sector Cybersecurity Performance Goals.”
Deputy Secretary Andrea Palm was quoted in the release saying that “The increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety. These attacks endanger patients by exposing vulnerabilities in our healthcare system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures. This proposed rule is a vital step to ensuring that health care providers, patients, and communities are not only better prepared to face a cyberattack, but are also more secure and resilient.”
OCR has seen a substantial increase in reports of large breach reports received over the last five years, according to the press release. In the years 2018-2023, reports of large breaches increased by 102%, and the number of individuals affected by such breaches increased by 1002%.
The proposed rule would modify the HIPAA Security Rule to require health plans, health care clearinghouses, and the majority of healthcare providers, and their business associates to better protect individuals’ electronic protected health information against external and internal threats.
The proposed rule would also aim to clarify and provide specific instructions about what covered entities and their business associates should do to protect electronic protected health information.
Further, the release added, “The proposed rule also would require that policies and procedures be in writing, reviewed, tested, and updated on a regular basis.”
Janette Wider | Editor-in-Chief
Janette Wider is Editor-in-Chief for Healthcare Purchasing News.