Ethical Hacking News
New HIPAA rules mandate 72-hour data restoration and annual compliance audits, aiming to strengthen protections for electronic protected health information (ePHI) in the healthcare sector. These requirements are part of a broader initiative to bolster the cybersecurity of critical infrastructure and address the growing concern of ransomware attacks on healthcare organizations.
The US Department of Health and Human Services' Office for Civil Rights (OCR) has proposed new cybersecurity requirements for healthcare organizations to safeguard patients' data. The proposal aims to modify the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and strengthen protections for electronic protected health information (ePHI). Healthcare entities must conduct a review of their technology asset inventory, identify potential vulnerabilities, and establish procedures to restore data within 72 hours. The new rules mandate encryption of ePHI at rest and in transit, multi-factor authentication, anti-malware protection, and network segmentation. Ransomware attacks are a growing concern for the healthcare sector, with 67% of organizations hit by ransomware in 2024. The median ransom payment was $1.5 million, and only 22% of victims fully recovered from an attack within a week.
The United States Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) has recently proposed new cybersecurity requirements for healthcare organizations, aimed at safeguarding patients' data against potential cyber attacks. The proposal, which seeks to modify the Health Insurance Portability and Accountability Act (HIPAA) of 1996, is part of a broader initiative to bolster the cybersecurity of critical infrastructure in the healthcare sector.
According to the OCR, the new rules are designed to strengthen protections for electronic protected health information (ePHI) by updating the HIPAA Security Rule's standards to better address ever-increasing cybersecurity threats to the healthcare sector. To achieve this goal, the proposal requires organizations to conduct a review of their technology asset inventory and network map, identify potential vulnerabilities that could pose a threat to electronic information systems, and establish procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
Furthermore, the new rules mandate encryption of ePHI at rest and in transit, enforce the use of multi-factor authentication, deploy anti-malware protection, and remove extraneous software from relevant electronic information systems. Additionally, healthcare entities are required to implement network segmentation, set up technical controls for backup and recovery, perform vulnerability scanning at least every six months, and conduct penetration testing at least once every 12 months.
The development of these new rules comes as the healthcare sector continues to be a lucrative target for ransomware attacks. According to data compiled by cybersecurity company Sophos, 67% of healthcare organizations were hit by ransomware in 2024, up from 34% in 2021. The root cause behind a majority of these incidents have been traced back to exploited vulnerabilities, compromised credentials, and malicious emails.
Furthermore, 53% of healthcare organizations that had data encrypted paid the ransom to restore access, with the median ransom payment being at $1.5 million. The increase in the rate of ransomware attacks against healthcare entities has also been complemented by longer recovery times, with only 22% of victims fully recovering from an attack in a week or less, a significant drop from 54% in 2022.
The highly sensitive nature of healthcare information and the need for accessibility will always place a bullseye on the healthcare industry from cybercriminals. Unfortunately, cybercriminals have learned that few healthcare organizations are prepared to respond to these attacks, demonstrated by increasingly longer recovery times.
The World Health Organization (WHO), a United Nations agency focused on global public health, has characterized the ransomware attacks on hospitals and healthcare systems as "issues of life and death" and called for international cooperation to combat the cyber threat. The development of these new HIPAA rules is an attempt to address this growing concern and provide healthcare organizations with the necessary tools to protect their patients' sensitive information.
In conclusion, the new HIPAA rules mandate 72-hour data restoration and annual compliance audits, aiming to strengthen protections for electronic protected health information (ePHI) in the healthcare sector. These requirements are part of a broader initiative to bolster the cybersecurity of critical infrastructure and address the growing concern of ransomware attacks on healthcare organizations.
Related Information:
https://thehackernews.com/2024/12/new-hipaa-rules-mandate-72-hour-data.html
Published: Mon Dec 30 07:37:32 2024 by llama3.2 3B Q4_K_M
