HIPAA to be updated with cybersecurity regulations, White House says

New cybersecurity rules covering how healthcare institutions protect user data will be proposed under the Health Insurance Portability and Accountability Act (HIPAA), according to a White House official.

“The security rule [under HIPAA] was first published in 2003 and it was last revised in 2013, so this is the first update to this 20-year rule in over a decade, and it will require entities who maintain healthcare data to do things like encrypt that data so if attacked, it cannot be leaked on the web and endanger individuals,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, told reporters Friday.

The Department of Health and Human Services (HHS) will publish a draft of the updated rules in the Federal Register for public comment, Neuberger said.

Healthcare entities also will have to monitor their networks for threats and do compliance checks to see whether they are abiding by the new HIPAA rules, according to Neuberger, who added that the White House believes the implementation cost of the proposed rule for the healthcare industry would be about $9 billion in the first year and $6 billion annually for years two to five. 

“The cost of not acting is not only high, it also endangers critical infrastructure and patient safety, and it carries other harmful consequences,” she explained. 

HIPAA was initially signed into law in 1996 and governs how healthcare data is shared by hospitals, insurers and patients. Neuberger said the new rules would add “clarity and specificity” about cybersecurity to HIPAA. 

The White House decided to embark on the effort in recent months due to a five-year increase in healthcare data breaches capped by a 2024 that saw two of the most significant healthcare incidents in U.S. history with the ransomware attacks on Change Healthcare and the Ascension hospital network. 

Neuberger argued that while the average cost of a healthcare breach in 2023 was $10.1 million, organizations like Ascension and Change Healthcare are facing potentially disastrous losses. The parent company of Change Healthcare, UnitedHealth Group, estimated that the February incident cost the company upwards of $850 million. 

“Since 2019, large breaches caused by hacking and ransomware have increased 89% and 102% and I must say, in this job, one of the most concerning and really troubling things we deal with is hacking of hospitals, hacking of healthcare data,” she said. 

“We see hospitals forced to operate manually. We see American sensitive healthcare data, sensitive mental health data, sensitive procedures, being leaked on the dark web with the opportunity to blackmail individuals with that.”

One year ago, HHS added cybersecurity rules for healthcare institutions that deal with the Medicare and Medicaid programs, ostensibly tying federal payments to baseline standards. At the time, HHS floated the idea of adding cybersecurity measures to HIPAA — with one concept centering around increasing civil monetary penalties for HIPAA violations like breaches. 

The White House moves have been backed by members of Congress who are exasperated by the continued shutdown of hospitals from ransomware and the nationwide implications of the Change Healthcare breach — which the company said exposed the information of more than 100 million people. 

HHS published a 122-page guide in February explaining to HIPAA-covered entities that they have to begin undertaking cybersecurity risk assessment and risk management efforts.