New Health Cybersecurity Rule: What Docs Should Know

A new federal rule could force hospitals and doctors’ groups to boost health cybersecurity measures to better protect patients’ health information and prevent ransomware attacks. Some of the proposed requirements could be expensive for healthcare providers.

The proposed rule, issued by the US Department of Health and Human Services (HHS) and published on January 6 in the Federal Register, marks the first time in a decade that the federal government has updated regulations governing the security of private health information (PHI) that’s kept or shared online. Comments on the rule are due on March 6.

Because the risks for cyberattacks have increased exponentially, “there is a greater need to invest than ever before in both people and technologies to secure patient information,” Adam Greene, an attorney at Davis Wright Tremaine in Washington, DC, who advises healthcare clients on cybersecurity, told Medscape Medical News.

Bad actors continue to evolve and are often far ahead of their targets, added Mark Fox, privacy and research compliance officer for the American College of Cardiology.

In the proposed rule, HHS noted that breaches have risen by more than 50% since 2020. Damages from health data breaches are more expensive than in any other sector, averaging $10 million per incident, said HHS.

The damage can continue for years, as much of the data — such as date of birth — in PHI are “immutable,” unlike a credit card number, the agency said. A review of breach reports made to HHS’ Office for Civil Rights shows near-daily data breaches affecting hundreds to tens of thousands of patients. Since December 1 alone, healthcare providers reported breaches affecting nearly 3 million US patients, according to federal data.

Debi Carr, a Florida-based cybersecurity consultant for small physician and dental practices, welcomed the new proposal. “Many practices are clinging to doing things the way they have always done it, and hackers are taking full advantage of that mindset,” she told Medscape Medical News. “We have to change our mindset.”

Among the proposal’s recommendations:

*A shift away from making security specifications “addressable” to required. Fox said that many interpreted addressable to mean optional. The clarification is important, he said. The government will require greater accountability, including a requirement to annually revise the risk analysis, to review policies and procedures and implementation, and to perform penetration testing, said Greene.

*Requiring multifactor authentication (MFA) and encryption of PHI at rest and in transit. “A reasonable person who does security will tell you that should be a requirement,” said Fox. Carr said the February 2024 Change Healthcare ransomware attack happened because workers at the payment processing company were not using MFA.

*Requiring all entities to verify at least once a year that “business associates” have put into place the required safeguards; the associates would need to provide a written analysis of relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate. In the past, the rule “only required that you sign a business associate agreement” with the associate, which could be a payer, a pharmacy, or another physician practice, said Fox. The rule would require all entities to get certification that the controls are in place, he said.

*Requiring a detailed map of an electronic network. For a physician practice, that means creating an inventory of all the technology assets, including devices, applications, and anything that would touch electronic PHI, and then creating a map of how it comes into the office, flows through it, and departs, said Greene.

*Having a plan of action in the case of a breach. The rule will require written procedures to restore certain relevant systems and data within 72 hours and written incident response plans.

Some physician practices — especially those still relying on passwords instead of more sophisticated MFA or encryption — may have to invest significantly to strengthen their information security, said Greene. Smaller organizations, for example, may need to upgrade systems to ensure that user access is terminated within an hour after someone’s employment ends, he said.

Carr said practices should not view the investments as a burden. The regulation “will force practices to implement best cybersecurity practices,” she said.

Implementing those best practices serves as insurance, said Fox. He suggests that anyone in doubt “talk to someone who’s actually lived through a breach and had to recover.”

Tampa General Hospital, Tampa, Florida, for instance, recently settled a class action suit, agreeing to pay $6.8 million to patients whose PHI was compromised.

It is not certain whether or when the health cybersecurity rule will be made final.

The incoming Trump administration could cancel or delay the rulemaking process.

Even if it continues, “I would not expect a final rule in 2025,” said Greene. He estimates that the rule would not take effect until at least 2026; healthcare entities would have 180 days to comply. Still, those 180 days can go by fast, Greene said.

“I would say don’t panic, but don’t ignore it either,” he said.

Alicia Ault is a Saint Petersburg, Florida-based freelance journalist whose work has appeared in many health and science publications, including Smithsonian.com. You can find her on X @aliciaault and on Bluesky @aliciaault.bsky.social.