A massive healthcare data breach has prompted the US Department of Health and Human Services to update HIPAA regulations to include requirements for data encryption, multi-factor authentication and network segmentation.
The update addresses provisions of the Health Insurance Portability and Accountability Act (HIPAA), which were last amended in 2013. The new requirements require organizations handling protected health information (PHI) to encrypt data, implement multi-factor authentication, and segment their networks to make it more difficult for attackers. The update is due to an increase in the number of cyber incidents related to hacker attacks and ransomware.
Only in recent years, the number of attacks has significantly increased, from which more than 500 people have been affected. The rules will be updated within the next 60 days, according to White House deputy cybersecurity adviser Anna Neuberger. It will cost US$9 billion in the first year and more than US$6 billion over the next four years. An example of the severity of the situation is the attack on the Ascension system in May 2024, when the Black Basta ransomware stole the data of 5.6 million people, forcing doctors to work without electronic records and causing significant delays in the provision of medical services.
HIPAA was first implemented in 1996 and its security rules were last updated in 2013. Cyber threats have evolved significantly over the past decade, forcing the US government to rethink its approach to data protection. The proposed update is an important step towards protecting patient data and ensuring cybersecurity in healthcare. However, its implementation will require significant resources and active cooperation between governments and health organizations.