• 3,000 firms
  • Independent
  • Trusted
Save up to 70% on staff

News » U.S. health department proposes major HIPAA overhaul to strengthen cybersecurity

U.S. health department proposes major HIPAA overhaul to strengthen cybersecurity

us-health-proposes-hipaa-overhaul
Photo from Alex Wong/Getty Images

WASHINGTON D.C., UNITED STATES — The U.S. Department of Health and Human Services (HHS) recently unveiled a proposed update to the HIPAA Security Rule, marking the first significant revision since 2013. 

The proposal, released by the Office for Civil Rights (OCR), aims to address the growing wave of cyberattacks and data breaches targeting the healthcare sector by strengthening protections for electronic protected health information (ePHI).

The changes are designed to clarify existing requirements and provide healthcare organizations worldwide that handle American patient data with more prescriptive guidance on cybersecurity practices. 

According to OCR, reports of large breaches increased by over 100% from 2018 to 2023, while the number of individuals affected surged by over 1,000%.

Critical security measures for healthcare providers

The proposed rule introduces several mandatory measures to enhance cybersecurity:

  • Technology inventory and network mapping: Organizations must create and annually update a detailed inventory of technology assets and a network map showing ePHI movement.
  • Risk analysis: Entities must conduct written reviews of potential vulnerabilities tied to their systems.
  • Multi-factor authentication (MFA): MFA would be required for system access, with limited exceptions.
  • Vulnerability scanning and penetration testing: Systems must be scanned for vulnerabilities every six months, with annual penetration testing to assess security defenses.

OCR Director Melanie Fontes Rainer emphasized the urgency of these updates, citing the “rampant escalation in ransomware and hacking” as a direct threat to patient safety. She also pointed to the Change Healthcare breach—the largest in U.S. healthcare history—as evidence of the sector’s vulnerability.

Addressing cybersecurity gaps in healthcare

The proposal seeks to tackle common compliance deficiencies observed during OCR investigations. Regulators noted that some organizations misinterpret certain HIPAA requirements as optional, leading to inconsistent implementation of safeguards. 

The updated rule would eliminate distinctions between “required” and “addressable” specifications, making all provisions mandatory unless explicitly exempted.

Part of a broader cybersecurity initiative

This update aligns with the Biden Administration’s 2023 National Cybersecurity Strategy and HHS’s broader efforts to fortify healthcare cybersecurity. In late 2023, HHS introduced voluntary cybersecurity goals and outlined plans for stricter hospital requirements under Medicare and Medicaid programs.

Additionally, lawmakers such as Senators Ron Wyden and Mark Warner have proposed legislation directing HHS to establish minimum cybersecurity standards while providing financial support to hospitals for implementation.

Economic impact of compliance

HHS estimates that implementing these changes will cost $9 billion in the first year and $6 billion annually over the following four years. However, officials argue that reducing breaches by even 7% could offset these costs, making the revisions economically viable.

If finalized, these updates could significantly enhance protections for sensitive patient data amid an increasingly hostile cyber landscape.

Read more here.

Start your
journey today

  • Independent
  • Free
  • Transparent

About OA

Outsource Accelerator is the trusted source of independent information, advisory and expert implementation of Business Process Outsourcing (BPO)

The #1 outsourcing authority

Outsource Accelerator offers the world’s leading aggregator marketplace for outsourcing. It specifically provides the conduit between Philippines outsourcing suppliers and the businesses – clients – across the globe.

The Outsource Accelerator website has over 5,000 articles, 450+ podcast episodes, and a comprehensive directory with 4000+ BPO companies… all designed to make it easier for clients to learn about – and engage with – outsourcing.

About Derek Gallimore

Derek Gallimore has been in business for 20 years, outsourcing for over eight years, and has been living in Manila (the heart of global outsourcing) since 2014. Derek is the founder and CEO of Outsource Accelerator, and is regarded as a leading expert on all things outsourcing.

“Excellent service for outsourcing advice and expertise for my business.”

Learn more
Banner Image
Get 3 Free Quotes Verified Outsourcing Suppliers
3,000 firms.Just 2 minutes to complete.
SAVE UP TO
70% ON STAFF COSTS
Learn more

Connect with over 3,000 outsourcing services providers.

Banner Image

Transform your business with skilled offshore talent.

  • 3,000 firms
  • Simple
  • Transparent
Banner Image