HHS Issues Rulemaking Proposal to Strengthen Cybersecurity Protections

The proposal is aimed at improving existing standards for protecting the confidentiality and integrity of electronic protected health information, the department said. It comes in the wake of increased breaches of protected health information due to hacking and ransomware attacks, according to a Morrison Foerster blog on Friday.

“The increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety,” said HHS Deputy Secretary Andrea Palm in a news release. “These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures. This proposed rule is a vital step to ensuring that health care providers, patients, and communities are not only better prepared to face a cyberattack, but are also more secure and resilient.”

In 2023 alone, a record high of over 167 million individuals were affected by breaches; since 2018, there has been a substantial increase in reports of breaches, according to the HHS press release.

The HHS Office for Civil Rights issued the NPRM with the goal of revising standards for covered entities, including “health plans, health care clearinghouses and most health care providers,” it said in a Dec. 27 fact sheet. Comments are due March 7.

“This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats,” said Melanie Fontes Rainer, the department’s office of civil rights director. “It would require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity, and help ensure that doctors, health plans, and others providing health care meet their obligations to protect the security of individuals’ protected health information across the nation.”