HHS Proposes First Cybersecurity Overhaul in Two Decades for Electronic Health Data

Jan 14, 2025, 12:04 AM

The U.S. Department of Health and Human Services (HHS) has proposed a major update to its cybersecurity rules for electronic health data, marking the first significant overhaul in two decades. Announced by the HHS Office for Civil Rights on January 6, the proposed rule aims to address the increasing frequency and sophistication of cyberattacks targeting the healthcare sector, including hospitals, physicians' groups, and the broader healthcare supply chain. Key changes include mandatory encryption of health data at rest and in transit, annual risk assessments, multifactor authentication, and stricter compliance requirements for business associates such as vendors and contractors. The proposal also eliminates flexibility in security measures, requiring all entities to adhere to uniform standards. HHS noted that breaches have risen by more than 50% since 2020, with damages averaging $10 million per incident. The rule is designed to enhance the protection of patient health information and reduce the impact of ransomware attacks, such as the February 2024 Change Healthcare ransomware attack. Public comments on the proposed rule are due by March 6, 2025, and the final implementation timeline remains uncertain, especially with the incoming Trump administration, which may influence the rulemaking process.