Healthcare providers in the United States might be forced to beef up their cybersecurity practices in the wake of new proposals made by the U.S. Department of Health and Human Services.

It proposes new measures that would require healthcare services providers to implement multifactor authentication and encryption on patient data, in order to safeguard such information in the event of a data breach. In addition, organizations would also face enhanced compliance checks to ensure that their computer networks adhere to existing cybersecurity rules around patient data.

Reuters said Saturday that the proposals are now undergoing a 60-day public comment period, which will allow healthcare providers and other stakeholders to provide feedback. There may well be some opposition to the proposed changes though, considering the enormous cost required to implement them. According to U.S. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, implementing the new proposals could cost up to $9 billion during the first year, and $6 billion in the following two years.

However, Neuberger argued that the rule changes are necessary to help fend off the growth of ransomware attacks in the healthcare industry. She said the number of large security breaches involving healthcare firms that fell victim to ransomware has increased by 102% since 2019. She added that healthcare data is now commonly being traded across the dark web, and can be used by hackers and other cybercriminals to potentially blackmail individuals.

According to Reuters, the proposals come in the wake of numerous high-profile data breaches involving U.S. healthcare providers. For instance, in February 2024, an attack on UnitedHealth Group Inc.’s subsidiary Change Healthcare resulted in the personal data of more than 100 million Americans being exposed, disrupting that organization’s pharmacy services and billing systems.

Change Healthcare Chief Executive Andrew Witty said at the time said the hackers were able to remotely access its systems, which did not have multi-factor authentication enabled.

In another incident in May, the healthcare firm Ascension Health Alliance fell victim to a cyberattack that knocked out the information technology systems at most of its hospitals, forcing some doctors to resort to using pen-and-paper records again.

Image: SiliconANGLE/Freepik AI