The United States Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has proposed new cybersecurity requirements for healthcare organizations with an aim to safeguard patients’ data against potential cyber attacks.
The proposal, which seeks to modify the Health Insurance Portability and Accountability Act (HIPAA) of 1996, is part of a broader initiative to bolster the cybersecurity of critical infrastructure, the OCR said.
The rule is designed to strengthen protections for electronic protected health information (ePHI) by updating the HIPAA Security Rule’s standards to “better address ever-increasing cybersecurity threats to the healthcare sector.”
To that end, the proposal, among other things, requires organizations to conduct a review of the technology asset inventory and network map, identify potential vulnerabilities that could pose a threat to electronic information systems, and establish procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
Other notable clauses include carrying out a compliance audit at least once every 12 months, mandating encryption of ePHI at rest and in transit, enforcing the use of multi-factor authentication, deploying anti-malware protection and removing extraneous software from relevant electronic information systems.
The Notice of Proposed Rulemaking (NPRM) also necessitates that healthcare entities implement network segmentation, set up technical controls for backup and recovery, as well as perform vulnerability scanning at least every six months and penetration testing at least once every 12 months.
The development comes as the healthcare sector continues to be a lucrative target with ransomware attacks, not only posing financial risk but also putting lives at stake by disrupting access to diagnostic equipment and critical systems that contain patient medical records.
“Healthcare organizations collect and store extremely sensitive data, which likely contributes to threat actors targeting them in ransomware attacks,” Microsoft noted in October 2024. “However, a more significant reason these facilities are at risk is the potential for huge financial payouts.”
“Healthcare facilities located near hospitals that are impacted by ransomware are also affected because they experience a surge of patients needing care and are unable to support them in an urgent manner.”
According to data compiled by cybersecurity company Sophos, 67% of healthcare organizations were hit by ransomware in 2024, up from 34% in 2021. The root cause behind a majority of these incidents have been traced back to exploited vulnerabilities, compromised credentials, and malicious emails.
Furthermore, 53% of healthcare organizations that had data encrypted paid the ransom to restore access. The median ransom payment was at $1.5 million.
The increase in the rate of ransomware attacks against the healthcare entities has also been complemented by longer recovery times, with only 22% of victims fully recovering from an attack in a week or less, a significant drop from 54% in 2022.
“The highly sensitive nature of healthcare information and need for accessibility will always place a bullseye on the healthcare industry from cybercriminals,” Sophos CTO John Shier said. “Unfortunately, cybercriminals have learned that few healthcare organizations are prepared to respond to these attacks, demonstrated by increasingly longer recovery times.”
Last month, the World Health Organization (WHO), a United Nations agency focused on global public health, characterized the ransomware attacks on hospitals and healthcare systems as “issues of life and death” and called for international cooperation to combat the cyber threat.
