Alicia Ault
MedScape.com
Originally posted 10 Jan 25
A new federal rule could force hospitals and doctors’ groups to boost health cybersecurity measures to better protect patients’ health information and prevent ransomware attacks. Some of the proposed requirements could be expensive for healthcare providers.
The proposed rule, issued by the US Department of Health and Human Services (HHS) and published on January 6 in the Federal Register, marks the first time in a decade that the federal government has updated regulations governing the security of private health information (PHI) that’s kept or shared online. Comments on the rule are due on March 6.
Because the risks for cyberattacks have increased exponentially, “there is a greater need to invest than ever before in both people and technologies to secure patient information,” Adam Greene, an attorney at Davis Wright Tremaine in Washington, DC, who advises healthcare clients on cybersecurity, told Medscape Medical News.
Bad actors continue to evolve and are often far ahead of their targets, added Mark Fox, privacy and research compliance officer for the American College of Cardiology.
In the proposed rule, HHS noted that breaches have risen by more than 50% since 2020. Damages from health data breaches are more expensive than in any other sector, averaging $10 million per incident, said HHS.
Here are some thoughts:
The article outlines a newly proposed cybersecurity rule aimed at strengthening the protection of healthcare data and systems. This rule is particularly relevant to physicians and healthcare organizations, as it addresses the growing threat of cyberattacks in the healthcare sector. The proposed regulation emphasizes the need for enhanced cybersecurity measures, such as implementing stronger protocols, conducting regular risk assessments, and ensuring compliance with updated standards. For physicians, this means adapting to new requirements that may require additional resources, training, and investment in cybersecurity infrastructure. The rule also highlights the critical importance of safeguarding patient information, as breaches can lead to severe consequences, including identity theft, financial loss, and compromised patient care. Beyond data protection, the rule aims to prevent disruptions to healthcare operations, such as delayed treatments or system shutdowns, which can arise from cyber incidents.
However, while the rule is a necessary step to address vulnerabilities, it may pose challenges for smaller practices or resource-limited healthcare organizations. Compliance could require significant financial and operational adjustments, potentially creating a burden for some providers. Despite these challenges, the proposed rule reflects a broader trend toward stricter cybersecurity regulations across industries, particularly in sectors like healthcare that handle highly sensitive information. It underscores the need for proactive measures to address evolving cyber threats and ensure the long-term security and reliability of healthcare systems. Collaboration between healthcare organizations, cybersecurity experts, and regulatory bodies will be essential to successfully implement these measures and share best practices. Ultimately, while the transition may be demanding, the long-term benefits—such as reduced risk of data breaches, enhanced patient trust, and uninterrupted healthcare services—are likely to outweigh the initial costs.