• The Biden administration proposes new cybersecurity rules to prevent healthcare data leaks.
• The proposed rules include data encryption and compliance checks to meet cybersecurity standards.
• The rules aim to address the increasing involvement of business associates in data breaches.
• The administration's approach includes a zero-trust architecture, focusing on data-centric security.

In a significant move to bolster cybersecurity, the Biden administration has proposed new rules aimed at preventing sensitive healthcare data leaks. This proposal comes in the wake of large-scale data breaches that have affected healthcare organizations like Ascension and UnitedHealth. The proposed requirements are deemed necessary considering the massive number of Americans whose data has been compromised due to large-scale healthcare information breaches.

Anne Neuberger, the U.S. deputy national security advisor for cyber and emerging technology, emphasized the urgency of these measures. She highlighted that the healthcare information of more than 167 million people was affected in 2023 due to cybersecurity incidents. The proposed rule from the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) aims to update standards under the Health Insurance Portability and Accountability Act (HIPAA).

The Cost and Process of Implementing New Cybersecurity Rules

The estimated cost of these updates is projected to be $9 billion in the first year, and $6 billion in years two through five. The proposed rule was posted to the Federal Register, and a more condensed breakdown was made available on the HHS website. The next step in the process is a 60-day public comment period before any final decisions are made.

Large healthcare breaches caused by hacking and ransomware have increased by 89% and 102% respectively since 2019, making these measures all the more critical. Neuberger expressed deep concern over the hacking of hospitals and healthcare data. She pointed out that hospitals have been forced to operate manually and sensitive healthcare data, mental health information, and other information are being leaked on the dark web, creating opportunities for blackmailing individuals.

Proposed Measures to Enhance Cybersecurity

The proposed rules include encrypting data to prevent access even if leaked, and requiring compliance checks to ensure networks meet cybersecurity rules. The OCR spokesperson stated that these significant proposals aim to improve cybersecurity and protect everyone's health information. The White House's moves have been backed by members of Congress who are exasperated by the continued shutdown of hospitals from ransomware and the nationwide implications of the Change Healthcare breach, which exposed the information of more than 100 million people.

The proposed rules also aim to address the increasing involvement of business associates in data breaches. Business associate breaches increased by 22% year over year in 2023. The proposed rules come at a time when the global cost of cybercrime is predicted to hit $9.5 trillion in 2024. The average cost of a data breach at 553 organizations worldwide in the 12 months ending in March 2023 was a record high of $4.45 million.

The Future of Cybersecurity in Healthcare

The Biden administration's approach to cybersecurity also includes a zero-trust architecture, which assumes that threats exist everywhere and at every level. This approach puts in place a continuous cycle of validation and authorization, shifting the focus of security from location-centric to data-centric. This approach does not rely on the fixed perimeter of a networked system, as the boundaries keep shifting with remote usage and cloud services.