New Healthcare Cybersecurity Rules

Introduction

Bad actors are becoming more advanced with the improvement of technology. Healthcare and healthcare providers have always been a big target for these groups, considering that hospitals and health clinics rarely upgrade their systems and information security. Because of this lack of updated cybersecurity, there have been an increase of malicious attacks on healthcare providers and their customers, affecting millions of people a year.

Due to this increase, US government administration has proposed new rules for healthcare institutions to abide by. These new regulations are a bit stricter when it comes to information security in hospitals and health clinics, requiring them to be more proactive in implementing them. Over the past few years, cyber attacks have increased exponentially, so it’s becoming increasingly important for healthcare organizations to improve their security protections.

The Proposed Regulations

The Department of Health and Human Services has recognized the need to strengthen cybersecurity across healthcare providers and systems. The suggested rule changes the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security rule to strengthen cybersecurity for individuals. This means that health clearinghouses, health plans, and healthcare providers and associates have to take steps to improve protections.

The aim for HHS is for healthcare providers to show advancement along with advancing technologies. It’s important to continue changing with the environment, considering things get more complicated and detailed, especially with artificial intelligence and generative AI being used more. Attacks are becoming more sophisticated, and HSS wants the healthcare industry to match that.

There are a few key changes that the proposed rules addresses:

• Changes in the healthcare environment and where it is provided.
• Increases in cyberattacks and breaches that happen in healthcare environments.
• Weaknesses in cybersecurity and information security compliance by healthcare environments and the businesses that associate with it.
• Guidelines, best practices, procedures, and various processes around cybersecurity that healthcare providers have.
• Court decisions that enforce HIPAA’s Security Rule.

With the direction that the rules are heading in, it’s obvious that the HHS wants to prevent the increasing cyberattacks. There has been some slack in these areas in the past, but hopefully, things will improve when these rules become formal regulations.

The Future of Healthcare Cybersecurity

According to the Department of Health and Human Services, cyberattacks have increased from 89 percent to around 102 percent each year. Breaches are happening every day, causing millions of people to have their information stolen or used in negative ways. These rules have been in motion since 2023, when the HHS outlined a roadmap of where they wanted cybersecurity to be.

With these heavier rules, the healthcare industry is going to be required to have written documentation, notate specific compliance time periods, require great specificity for conducting risk analyses, and more. Notifications and implementation contingencies would be moved within 72 hours and would require business associates to verify once a year that they have technical safeguards required by the Security Rule.

Much like financial institutions, the healthcare industry will have reviews more often and more in-depth with examiners. The need for third-party cybersecurity vendors will increase as well, so it’s a good idea to start looking for providers of things like penetration testing services. With stricter rules, it’s likely that some additional cybersecurity measures will need to be considered.

Conclusion

The healthcare industry has never been quick to adapt to technology. Many healthcare providers use outdated systems and devices that are older, making them an easy target when it comes to cyberattacks and various cyber security issues. Millions of people are affected by these breaches every year, whether it’s stolen data, ransomware, or vulnerabilities that have not been patched.

With the Department of Health and Human Services updating the HIPAA Security Rule, healthcare environments and their business associates will be examined more thoroughly, making sure that documentation, systems, and other factors are kept up to date and secure. It’s important that these things are kept in mind, regardless of government requirements or not. Keeping individuals safe should be a business’s top priority.