US Government Crafts New Cybersecurity Regulations for Healthcare Data Protection
The Office for Civil Rights (OCR) under the US Department of Health and Human Services (HHS) has proposed new cybersecurity measures for healthcare institutions. The move aims to avert cyberattacks and safeguard patient information. This development follows a significant cybersecurity breach, resulting in the unauthorized disclosure of data of over 100 million UnitedHealth patients earlier in the year.
Proposed Security Measures
The impending regulations demand healthcare institutions integrate multifactor authentication in most situations and separate their networks to diminish potential intrusion risks. Additionally, they'll have to ensure that the patient's data is encrypted, rendering it inaccessible even if stolen. Regulated entities will be further tasked with performing specific risk analysis practices, and maintaining compliance documentation, among other duties.
This initiative is part of the cybersecurity strategy the Biden administration launched last year. Once official, it will revamp the Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This act oversees doctors, nursing homes, and health insurance companies and underwent its most recent modification in 2013.
According to Reuters, deputy national security advisor Anne Neuberger projects the cost required to implement the new measures at around $9 billion in the first year and $6 billion for the next four years. After being published in the Federal Register on January 6th, a 60-day public comment period will commence before the final rule is established.
HHS Strives To Enhance Cybersecurity Protections
Among the introduced modifications to the Security Rule’s specifications, institutions will have to prepare written documentation of all policies, procedures, plans, and analyses related to the Security Rule. There will be a need for yearly updates on the technology asset inventory and a network map that traces the movement of ePHI within a regulated entity's electronic information system(s), among other changes.
All stakeholders, including patients, healthcare providers, and government entities, are encouraged by HHS to submit their comments through regulations.gov. The public comment period will commence 60 days after the disclosure of NPRM in the Federal Register.
In conclusion, while these additional regulations are being undertaken, the present Security Rule will stay in effect until the new regulations kick in. This move reflects the Biden administration's firm commitment to safeguarding the cyber-landscape in the healthcare sector.
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now