Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS). proposed new cybersecurity requirements for healthcare organizations to protect patient data from potential cyberattacks.
The proposal, which seeks to change the Health Insurance Portability and Accountability Act (HIPAA) of 1996, is part of a broader initiative to strengthen the cybersecurity of critical infrastructure, according to OCR.
The rule is intended to strengthen the protection of electronic protected health information (ePHI) by updating the HIPAA Security Rule standards to “better address the ever-increasing cybersecurity threats to the healthcare sector.”
To that end, the proposal, among other things, requires organizations to conduct a review of technology asset inventories and network maps, identify potential vulnerabilities that could pose a threat to electronic information systems, and establish procedures to recover from the loss of certain relevant electronic information systems and data within 72 hours.
Other important points include conducting a compliance audit at least once every 12 months, mandating encryption of ePHI at rest and in transit, enforcing the use of multi-factor authentication, deploying anti-malware protection, and removing third-party software from relevant electronic information systems.
The Notice of Proposed Rulemaking (NPRM) also requires healthcare organizations to implement network segmentation, establish technical controls for backup and recovery, and perform vulnerability scanning at least every six months and penetration testing at least once every 12 months.
This comes at a time when the healthcare sector continues to be a lucrative target for ransomware attacks, which not only pose financial risks, but also put lives at risk by compromising access to diagnostic equipment and critical systems that hold patients’ medical records. .
“Healthcare organizations collect and store highly sensitive data, which likely facilitates ransomware attacks by threat actors,” Microsoft said. noted in October 2024 “However, the more important reason these facilities are at risk is the potential for huge financial payouts.”
“Medical facilities located near hospitals that are affected by ransomware are also affected because they experience a surge in patients who need care and cannot support them urgently.”
According to data collected by cybersecurity firm Sophos, 67% of healthcare organizations will be affected by ransomware in 2024, up from 34% in 2021. The root cause of most such incidents is rooted in vulnerabilities, compromised credentials, and malware. emails.
Additionally, 53% of healthcare organizations that encrypted data paid a ransom to regain access. The average redemption amount was 1.5 million dollars.
The increase in ransomware attacks on healthcare facilities is also compounded by longer recovery times, with only 22% of victims fully recovering from an attack in a week or less, down significantly from 54% in 2022.
“The highly sensitive nature of health information and the need for accessibility will always put the healthcare industry at risk from cybercriminals,” said Sophos CTO John Shier. said. “Unfortunately, cybercriminals have learned that few healthcare organizations are prepared to respond to these attacks, as evidenced by increasing recovery times.”
Last month, the World Health Organization (WHO), the United Nations agency responsible for global public health, characterized ransomware attacks on hospitals and healthcare systems as “matters of life and death” and called for international cooperation to combat the cyber threat.
