The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) estimates that a total of 11 health data breaches each affected more than 1 million people this year, and that by 2024, the total number of Americans affected by data breaches will be is about 140 million people.
These 11 health data breaches, including one at the Centers for Medicare and Medicaid Services (CMS) itself, affected more than 3 million people. A significant portion of these breaches are caused by cyberattacks, and a recent study found that these cyberattacks have a direct impact on patient health by shutting down entire hospital systems. I did.
It’s no wonder, then, that last week OCR sent proposed cybersecurity rules to the White House for final review. OCR stated that the rule’s purpose is to “improve cybersecurity in the healthcare sector by strengthening HIPAA (Health Insurance Portability and Accountability Act) regulated entity requirements.” There is.
Little is known about the specific requirements of the proposed rule, but reading the tea leaves suggests what it would generally include, based on comments in numerous forums from lawmakers in Washington, D.C., and at HHS itself. You can guess.
Introducing two new terms. Each has an implicitly required government acronym. We’ll likely hear more when the rules are published as early as next month.
Systemically Important Entity (SIE). Cybersecurity Performance Objectives (CPG).
Let’s start with CPG. These were rolled out by CMS about a year ago to little fanfare. That’s because these are voluntary best business practices that healthcare organizations may or may not be able to implement.
Currently, the government has published or plans to publish these CPGs for nearly every industry through their respective federal agencies, but with healthcare being the number one target for cybercrime, future regulations will may require a healthcare CPG.
Healthcare CPGs are divided into two categories: Essential and Enhanced. The Essential category is intended to cover business practices that are the actual baseline for what the industry refers to as “good cybersecurity hygiene.” This includes not only technical protections such as multi-factor authentication and strong cryptographic protection, but also more behavioral practices such as employee training and revocation of credentials for departing employees.
Enhanced CPG is a best practice that healthcare organizations should adopt as their organization’s technology matures. This includes segmenting the network and conducting attack simulations.
HHS telegraphed that mandatory CPGs could become the basis for mandatory cybersecurity standards that may be imposed on healthcare organizations in the next rule.
Currently, not all healthcare organizations are required to comply with all required CPGs. HHS is also focusing a lot of attention on the aforementioned SIEs, organizations that are identified based on their potential to impact critical functions of the nation.
In English, SIE is a healthcare entity, let’s call it a choke point in the industry. If a SIE were to be attacked or impacted, the impact would be broader than just that one entity and its customers.
In summary, this rule will likely require at least some HIPAA entities, including plans, providers, and clearinghouses, to implement certain security standards, and these SIEs will likely be required to implement specific security standards due to their scope and impact. It is anticipated that many requirements may be given.
Will this cost healthcare facilities money? Sure.
Healthcare famously lags behind other industries in the United States in terms of technology, which is why cybercriminals are focusing on healthcare rather than other industries, and it is difficult to combat this. is costly to both individual organizations and the industry as a whole.
The proposed healthcare cybersecurity regulations are expected to be published in November.
Given the possible costs, let’s hope it provides some resources and assistance to the industry in strengthening its cyber defenses.
