Summary: The U.S. Department of Health and Human Services has proposed new cybersecurity requirements for healthcare organizations to enhance protections for electronic patient data against increasing cyber threats. This initiative aims to amend HIPAA regulations to better safeguard sensitive health information and ensure rapid recovery from cyber incidents.
Threat Actor: Cybercriminals | cybercriminals
Victim: Healthcare Organizations | healthcare organizations
Key Point :
- Proposed changes include mandatory technology asset reviews and vulnerability assessments.
- Healthcare entities must conduct compliance audits annually and implement encryption for ePHI.
- Multi-factor authentication and anti-malware protections are now required.
- Network segmentation and regular vulnerability scanning are essential to enhance security measures.
- Ransomware attacks on healthcare have surged, with 67% of organizations affected in 2024.
- The median ransom payment for encrypted data reached $1.5 million, emphasizing the financial risks involved.
- Recovery times from ransomware attacks have lengthened, with only 22% of victims recovering in a week or less.
The United States Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has proposed new cybersecurity requirements for healthcare organizations with an aim to safeguard patients’ data against potential cyber attacks.
The proposal, which seeks to modify the Health Insurance Portability and Accountability Act (HIPAA) of 1996, is part of a broader initiative to bolster the cybersecurity of critical infrastructure, the OCR said.
The rule is designed to strengthen protections for electronic protected health information (ePHI) by updating the HIPAA Security Rule’s standards to “better address ever-increasing cybersecurity threats to the healthcare sector.”
To that end, the proposal, among other things, requires organizations to conduct a review of the technology asset inventory and network map, identify potential vulnerabilities that could pose a threat to electronic information systems, and establish procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
Other notable clauses include carrying out a compliance audit at least once every 12 months, mandating encryption of ePHI at rest and in transit, enforcing the use of multi-factor authentication, deploying anti-malware protection and removing extraneous software from relevant electronic information systems.
The Notice of Proposed Rulemaking (NPRM) also necessitates that healthcare entities implement network segmentation, set up technical controls for backup and recovery, as well as perform vulnerability scanning at least every six months and penetration testing at least once every 12 months.
The development comes as the healthcare sector continues to be a lucrative target with ransomware attacks, not only posing financial risk but also putting lives at stake by disrupting access to diagnostic equipment and critical systems that contain patient medical records.
“Healthcare organizations collect and store extremely sensitive data, which likely contributes to threat actors targeting them in ransomware attacks,” Microsoft noted in October 2024. “However, a more significant reason these facilities are at risk is the potential for huge financial payouts.”
“Healthcare facilities located near hospitals that are impacted by ransomware are also affected because they experience a surge of patients needing care and are unable to support them in an urgent manner.”
According to data compiled by cybersecurity company Sophos, 67% of healthcare organizations were hit by ransomware in 2024, up from 34% in 2021. The root cause behind a majority of these incidents have been traced back to exploited vulnerabilities, compromised credentials, and malicious emails.
Furthermore, 53% of healthcare organizations that had data encrypted paid the ransom to restore access. The median ransom payment was at $1.5 million.
The increase in the rate of ransomware attacks against the healthcare entities has also been complemented by longer recovery times, with only 22% of victims fully recovering from an attack in a week or less, a significant drop from 54% in 2022.
“The highly sensitive nature of healthcare information and need for accessibility will always place a bullseye on the healthcare industry from cybercriminals,” Sophos CTO John Shier said. “Unfortunately, cybercriminals have learned that few healthcare organizations are prepared to respond to these attacks, demonstrated by increasingly longer recovery times.”
Last month, the World Health Organization (WHO), a United Nations agency focused on global public health, characterized the ransomware attacks on hospitals and healthcare systems as “issues of life and death” and called for international cooperation to combat the cyber threat.
Source: https://thehackernews.com/2024/12/new-hipaa-rules-mandate-72-hour-data.html