Strengthening Cybersecurity in the Healthcare Sector
Table Of Contents:
The UnitedHealth Group’s mammoth hack last year did more than encourage Congressional scrutiny; it also prompted a proposed update of federal healthcare cybersecurity rules. With the public consultation on that now closed, all eyes are on the executive branch to see what it does next.
Last Friday, March 7 2025, was the deadline for public comment for a proposed major upgrade to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rule. This would impose stiffer cybersecurity requirements upon the broad range of organizations already covered by HIPAA.
An Antiquated Law In A Fast-Modernizing Sector
When HIPAA was passed, the Palm Pilot was the state of the art in handheld tech, Hotmail was new, Google hadn’t launched yet, and only 36 million people used the web. The law hasn’t been updated in any substantive way since 2013.
In the meantime, the way the healthcare system processes information has changed substantially. The HITECH Act and 21st Century Cures Act encouraged tech investment and data sharing, ushering in a period of rapid modernization.
The US Department of Health and Human Services (HHS) felt the rules needed updating to reflect the times. In December, it proposed the new cybersecurity rule as a way to shore up the healthcare sector against what it sees as a growing barrage of cyber attacks. It is a direct reaction to growing cyber attacks against the sector.
A Rising Tide Of Healthcare Breaches
HHS maintains its own data breach figures via its Office of Civil Rights (OCR). It found large breach incidents doubling between 2018-2023, while the number of individuals affected grew tenfold – indicating that individual breaches are becoming more impactful. This isn’t surprising given the growth of ransomware, which the HHS specifically calls out. It also cited the breach at UnitedHealth Group’s Change Healthcare subsidiary, which, with 190 million victims, affected over half the US population. That’s sure to substantially drive up 2024’s breach numbers, warned HHS.
Other industry figures bear this out. The 2024 Ponemon Cybersecurity in Healthcare report said that 92% of healthcare organizations surveyed had suffered at least one cyber attack in the previous year. On average, the most expensive attack that each victim suffered cost them $4.7m, and 79% reported that the attacks had disrupted patient operations.
Pressure From Congress
Lawmakers have also called for firmer regulation of cybersecurity in healthcare. Three months earlier, Senate Finance Committee Chair Ron Wyden and Senator Mark Warner, both Democrats, introduced the Health Infrastructure Security and Accountability Act (HISA), which called upon HHS to implement tougher cybersecurity rules while removing civil penalty caps for covered entities that violate the rule. After the hack, Wyden was a particularly aggressive critic of UnitedHealth Group, calling for a federal investigation into the company’s cybersecurity practices.
Strict New Measures
The proposed HHS update rule removes the idea of ‘addressable’ security measures that aren’t required, instead making all of its outlined measures required. It adds specific deadlines for many of the existing requirements. All security policies must be documented in writing.
Risk analysis: Organizations must include written assessments of an annually reviewed asset inventory and network map that tracks electronic personal health information (ePHI) movement through their systems. They must identify all threats to this information and systems, classifying their risk levels.
Incident response and disclosure: The proposed rule also calls for tighter industry response measures, including written plans to report security incidents and restore systems and data access within 72 hours, prioritized based on their criticality. Business associates must also tell organizations within if they activate their contingency plans.
Compliance audits: Healthcare organizations must undergo an annual compliance audit against the security rule and get a written verification by an expert that all of their business associates comply with the rule. Similarly, business associates must get the same from their contractors.
Technical controls: All ePHI must be encrypted at rest and in transit, and both multi-factor authentication and anti-malware protection will be mandatory. Extraneous software must be removed from relevant systems, and appropriate network ports must be disabled. Networks must be segmented. There must be separate, dedicated controls for backup and recovery, and systems must be scanned for vulnerabilities every six months and subjected to an annual penetration test.
Group plan sponsors: The proposed rule update also affects organizations like employers that take out group health plans. Their plan documents must include requirements to comply with the proposed security rule, and they must ensure that the health insurance agent taking their ePHI does the same. If they have to activate their incident response plan, they must notify their plan members within 24 hours.
What It Means For Healthcare Companies
The new mandatory measures contrast with a largely voluntary approach to meaningful cybersecurity standards. In January 2024, HHS published its 405(d) program – a set of voluntary security approaches for healthcare industry organizations. However, these were part of a broader plan to impose more cybersecurity accountability on the industry.
Like HIPAA, the proposed update applies to downstream healthcare providers like hospitals, along with upstream organizations like health plans, insurance providers, and the healthcare clearinghouses that funnel ePHI between all of these organizations. Business associates – those companies handling PHI for those covered entities – are also within scope.
Readers reflecting that the changes simply reflect basic cyber hygiene aren’t alone. The proposed update represents a substantial upgrade to HIPAA’s existing rules, say legal experts, but it also fills a regulatory gap by bringing the sector more in line with currently accepted cybersecurity recommendations such as NIST’s Cybersecurity Framework.
“For organizations that have already adopted these ‘best practices’, many of the new Proposed Rule requirements will be familiar and, in many cases, will have already been implemented,” argue Brian G. Cesaratto, Lisa Pierce Reisz, Alaap B. Shah of Epstein Becker & Green in the National Law Review. In that case, the lion’s share of the work will likely involve flurried paper shuffling and form filling to satisfy the administrative requirements.
However, for covered organizations that have been lax in their cybersecurity measures, there will be some heavy lifting to do. HISA, which is still at the committee stage, had some significant add-ins. In particular, it carved out i$800m in funding for rural and urban safety net hospitals to achieve compliance, with a further $500m after that period for all other hospitals.
The HHS’s rule update doesn’t seem to offer such funding. That could be a sticking point.
“Given that the Security Rule’s standard of ‘reasonable and appropriate’ safeguards must account for cost, size, complexity, and capabilities, the more prescriptive proposals in the NPRM [notice of proposed rule making] and lack of addressable requirements present a heavy burden — especially on smaller providers,” write Amy S. Leopard, partner at Bradley Arant Boult Cummings LLP and her associate Adriante Carter.
What Happens Next
Following the end of the public consultation period, HHS is likely to collate and respond to comments. Typically, the rule would be amended to accommodate some of those comments, and the industry would be required to comply with it 180 days after the Department finalized it.
However, whether or not the NPRM proceeds in its current form – or any form at all – is uncertain. The recent administrative change in the US has heralded unprecedented policy changes at jaw-dropping velocity. With Robert F Kennedy Jr now manning the tiller at the Department, and with the current president maintaining a long-standing deregulatory approach and seemingly defunding as much federal government operation as possible, the political landscape for the rest of 2025 is anyone’s guess.
