A new federal rule could force hospitals and doctors’ groups to boost health cybersecurity measures to better protect patients’ health information and prevent ransomware attacks. Some of the proposed requirements could be expensive for healthcare providers.
The proposed rule, issued by the US Department of Health and Human Services (HHS) and published on January 6 in the Federal Register, marks the first time in a decade that the federal government has updated regulations governing the security of private health information (PHI) that’s kept or shared online. Comments on the rule are due on March 6.
Because the risks for cyberattacks have increased exponentially, “there is a greater need to invest than ever before in both people and technologies to secure patient information,” Adam Greene, an attorney at Davis Wright Tremaine in Washington, DC, who advises healthcare clients on cybersecurity, told Medscape Medical News.
Bad actors continue to evolve and are often far ahead of their targets, added Mark Fox, privacy and research compliance officer for the American College of Cardiology.
In the proposed rule, HHS noted that breaches have risen by more than 50% since 2020. Damages from health data breaches are more expensive than in any other sector, averaging $10 million per incident, said HHS.
The damage can continue for years, as much of the data — such as date of birth — in PHI are “immutable,” unlike a credit card number, the agency said. A review of breach reports made to HHS’ Office for Civil Rights shows near-daily data breaches affecting hundreds to tens of thousands of patients. Since December 1 alone, healthcare providers reported breaches affecting nearly 3 million US patients, according to federal data.
Debi Carr, a Florida-based cybersecurity consultant for small physician and dental practices, welcomed the new proposal. “Many practices are clinging to doin