News

U.S. Proposes Stricter Cybersecurity Rules for Healthcare Organizations

• By John K. Waters
• 01/06/2025

Healthcare providers across the United States may soon face new, stringent cybersecurity requirements under proposals from the U.S. Department of Health and Human Services (HHS), aimed at strengthening protections for sensitive patient data.

The proposed measures would mandate the implementation of multifactor authentication and data encryption to safeguard against breaches. Additionally, organizations would undergo enhanced compliance checks to ensure their systems adhere to existing cybersecurity regulations, according to an announcement by HHS.

The full proposal, released Friday and now open for a 60-day public comment period, comes in response to a surge in cyberattacks targeting the healthcare sector. Large-scale breaches involving ransomware attacks on hospitals and other healthcare entities have grown by 102% since 2019, according to Anne Neuberger, U.S. Deputy National Security Advisor for Cyber and Emerging Technology.

"Healthcare data is now frequently traded on the dark web, putting millions of Americans at risk of identity theft and blackmail," Neuberger said during a press briefing. "These proposals are crucial to mitigating these growing threats."

The economic impact of the proposed regulations, however, has raised concerns. Implementation costs are estimated to reach $9 billion in the first year and $6 billion annually for the following two years, potentially sparking opposition from some stakeholders.

Still, Neuberger emphasized that the escalating risks justify the investment. She cited recent high-profile breaches, such as the February 2024 attack on UnitedHealth Group Inc.’s subsidiary Change Healthcare, which exposed the personal data of over 100 million Americans. The breach disrupted pharmacy services and billing systems, with hackers exploiting the absence of multifactor authentication.

In another incident in May 2024, Ascension Health Alliance suffered a cyberattack that disabled IT systems in many of its hospitals, forcing medical staff to rely on pen-and-paper records.

"The consequences of these breaches are not just financial but operational," Neuberger said. "They disrupt patient care, create widespread inefficiencies, and erode public trust in the healthcare system."

The proposals would also update cybersecurity standards under the Health Insurance Portability and Accountability Act (HIPAA). HHS officials argue that encrypting patient data—even if stolen—and conducting regular compliance checks would significantly reduce the risk of sensitive information being leaked.

The scale of the problem is staggering: in 2023 alone, more than 167 million individuals were affected by healthcare data breaches, according to HHS.

"We recognize the cost burden these regulations impose," Neuberger said. "But the costs of inaction—both in financial and human terms—are far greater."

The proposals reflect a broader federal push to combat ransomware attacks across critical sectors, including healthcare. Stakeholders have until the end of the public comment period to weigh in before the measures are finalized.