U.S. proposes rules to make medical data more secure

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reports that it has proposed new cybersecurity requirements for healthcare organizations to protect patients’ personal data in the event of a cyberattack. Reuters. The regulations come after large-scale cyberattacks, such as one that compromised the personal information of more than 100 million UnitedHealth patients earlier this year.

OCR’s proposal calls for healthcare organizations to require multi-factor authentication in most circumstances, segment networks to reduce the risk of intrusions spreading from one system to another, and encrypt patient data to prevent it if it is stolen. This is included. You can access it. It also directs regulated groups to perform certain risk analysis practices, maintain compliance documentation, and more.

This regulation is part of the cybersecurity strategy announced by the Biden administration last year. If confirmed, it would update security rules for the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which regulates doctors, nursing homes, health insurance companies and others, and was last updated in 2013.

U.S. National Security Advisor Anne Neuberger wrote that she estimated the cost of implementing this requirement to be “about $9 billion in the first year and $6 billion over years 2 to 5.” Reuters. The proposal is scheduled to be published in the Federal Register on January 6, beginning a 60-day public comment period before a final rule is finalized.