Why trust Greenbot
Healthcare organizations across America may face a $9 billion cost this year to meet new federal computer security rules proposed by the U.S. Department of Health and Human Services (HHS). The changes aim to tackle the alarming rise in healthcare data breaches last year.
“We see hospitals forced to operate manually. We see American sensitive healthcare data, sensitive mental health data, sensitive procedures, being leaked on the dark web with the opportunity to blackmail individuals,” said Anne Neuberger, U.S. Deputy National Security Advisor for cyber and emerging technology.
Modernizing HIPAA to address rising cybersecurity threats
The HHS wants to update decades-old privacy regulations known as the Health Insurance Portability and Accountability Act (HIPAA). Hospitals and medical offices are to encrypt patient data, use multi-factor authentication for computer access, and regularly check if their security measures work correctly.
The proposed requirements mark the first major update to HIPAA’s Security Rule in over ten years. The Security Rule’s last revision was in 2013, after publication in 2003. Neuberger said the new rules would clarify about cybersecurity under HIPAA.
Healthcare providers are expected to spend $9 billion in the first year for the initial implementation. Afterward, they must invest $6 billion annually in the following years to maintain enhanced security systems.
Smaller healthcare providers, already struggling to meet existing regulations, worry about these costs. However, proponents argue that preventing breaches saves money in the long run. A single healthcare data breach cost companies an average of $10.1 million in 2023.
“The cost of not acting is not only high, it also endangers critical infrastructure and patient safety, and it carries other harmful consequences,” Neuberger explained.
The alarming cost of inaction
The surge in healthcare data breaches has affected over 167 million people in 2023 alone. Major incidents like the February attack on UnitedHealth’s Change Healthcare unit disrupted medical services nationwide when doctors couldn’t process prescriptions or bill insurance companies.
“These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures,” HHS Deputy Secretary Andrea Palm explained.
Change Healthcare’s experience showed officials the necessity for stricter rules. The company’s systems lacked basic security features like multi-factor authentication when hackers breached them. This exposed over 100 million patients’ information and caused an estimated $850 million in damages.
The public has 60 days (until March 2025) to comment on the proposed rules. This provides an opportunity for stakeholders to voice their opinions. Healthcare organizations would then get six months to comply with the final requirements after they become official.
As the healthcare industry faces mounting cybersecurity challenges, these updates could be crucial in protecting sensitive patient data in an increasingly digital world.
