White House Strengthens Cyber Requirements for Health Data for First Time in 10 Years

The White House recently released updated regulations outlining requirements for organizations to better protect the security of personal health information (PHI) entrusted to health providers, third parties, insurers, and others that handle such sensitive data. This draft version of the Notice of Proposed Rulemaking (NMPR), issued by the U.S. Department of Health and Human Services (HHS) and added to the Federal Register on January 6, 2025, represents the first significant update to the HIPAA Security Rule in over 10 years.

This update comes as the pace of incidents involving PHI of patients in U.S. healthcare and business associate organizations continues to grow. In 2024, there were 703 data breaches of PHI impacting over 500 patients reported to HHS through their Office for Civil Rights (OCR), representing a record 184 million compromised records--an increase of 9.4% from the prior year.

Healthcare data, and the organizations entrusted with PHI--such as healthcare providers, insurance companies, payment processors, and health tech organizations-- and others, that are entrusted with PHI remain one of the most highly targeted sectors by cybercriminals and hackers. There are numerous reasons for this, but the top considerations:

1. Patient data is valuable to criminals both for sale on the dark web and for direct use in perpetrating medical and healthcare payment fraud.

2. Healthcare organizations cannot operate effectively when their technical operations are disrupted, making them prime targets for ransomware attacks. Strategies to protect against ransomware are therefore crucial. 

3. Health data must be easily accessible and shared broadly within the healthcare setting to provide quality medical care, making the use of distributed and broadly accessible systems a requirement and a vulnerability. 

The new proposed HIPAA Security Rule, promulgated by HHS brings the requirements up to current standards for practical cybersecurity best practices. These include the requirement that PHI be encrypted, both at rest and in motion, that systems use multifactor authentication (MFA), and that both HIPAA-covered entities and business associates carry out preventative actions to monitor and improve their security posture at least once per year. These actions include security risk assessments, penetration tests, and HIPAA compliance audits. 

For these reasons, organizations that manage health data are increasingly turning to managed detection and response (MDR) providers like Pondurance, especially within the context of MDR healthcare services. Empowering them with tools, technologies, and skilled personnel to prevent, detect, and respond effectively to cybersecurity risks with managed security services, HIPAA-specific advisory, technical and compliance services, and cyber insurance forensics. Additionally, they gain access to a top-tier forensics and a security incident response (IR) team that can be on-call with an incident response retainer agreement, supported by a robust incident response security framework.

Having a comprehensive IR plan in place is crucial for organizations to effectively handle incidents as they arise. Click here to see a demo of the leading Pondurance MDR platform or to speak with one of our advisors about our HIPAA Compliance solutions or to get a quote for our quick-start incident response retainer.