U.S. Proposes New Cybersecurity Rules to Protect Healthcare Data

The Biden administration has proposed new cybersecurity rules to enhance the protection of patient data in healthcare organisations. These measures aim to reduce the impact of data breaches and cyberattacks, which have increasingly targeted the healthcare sector.

The proposed rules, introduced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR), include the following:

Mandatory Multifactor Authentication: Users must provide multiple forms of verification before accessing sensitive systems, strengthening security.

Data Encryption: Patient information must be encrypted to ensure it remains inaccessible to unauthorised individuals, even if compromised.

Network Segmentation: Networks must be divided into segments to contain potential breaches and prevent cyber threats from spreading.

Comprehensive Risk Analysis: Regular assessments are required to identify and address vulnerabilities in healthcare IT infrastructures.

Compliance Documentation: Organisations must maintain detailed records to demonstrate adherence to cybersecurity protocols.

Also Read: NITDA Issues Cybersecurity Alert on Potential Spotify Threats

These updates aim to amend the Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), last revised in 2013. The initial implementation costs are estimated at $9 billion in the first year, followed by $6 billion annually over the next four years.

The proposal will be published in the Federal Register on 6 January 2025, initiating a 60-day public comment period.

This initiative forms part of the broader cybersecurity strategy announced by the Biden administration, reflecting a commitment to protecting sensitive health information against evolving cyber threats.