HHS Office for Civil Rights Proposes Measures to Strengthen Cybersecurity in Health Care Under HIPAA

Data Breaches in Healthcare: Why Stronger Regulations Matter

A data breach involving personal health information isn’t just about stolen files—it’s a gut punch to trust and a serious shake-up to people’s lives. Think about it: sharing your deepest, most personal health concerns, only to have them spilled out into the world because of a cyberattack.

Take the Vastaamo data breach, one of the more devastating healthcare hacks. Hackers didn’t just steal psychotherapy records from thousands of people; they used them to blackmail both the company and the patients. The breach wasn’t just about money; it was about therapy records, the most vulnerable and raw parts of someone’s life, weaponized against them. And while Vastaamo is a well-known case, countless other breaches don’t make the headlines. Behind every statistic is a story—real people dealing with real pain. The numbers may be staggering, but the human cost is even greater.

Between 2018 and 2023, large-scale healthcare data breaches increased by 102%. In 2023 alone, over 167 million people were affected. These numbers highlight the widespread and growing threat to patient safety and privacy, underscoring the urgent need for stronger protections.

The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, established national standards to safeguard sensitive patient health information (PHI) and prevent unauthorized disclosures. In response to ongoing security threats and privacy violations, the Department of Health and Human Services (HHS) has published significant updates to the HIPAA Security Rule—the first substantial revision since 2013. These proposed changes aim to strengthen protections for patient data and enhance trust in healthcare systems.

Notably, the distinction between "required" and "addressable" implementation specifications has been eliminated. This change mandates that HIPAA-regulated entities must comply with all security standards, leaving no room for discretion except in very specific and limited circumstances. Compliance with these standards is now unequivocally mandatory, significantly raising the baseline for data security expectations. The proposed updates aim to fix these gaps and better protect sensitive information.

New measures proposed by HHS

• Multi-Factor Authentication (MFA): Clear definitions to enhance security when accessing sensitive systems.
• Encryption of ePHI: Protecting electronic health information, even if it’s intercepted.
• Regular Risk Assessments: Ensuring organizations remain vigilant against emerging threats.
• Access Controls and Endpoint Security: Modern safeguards to prevent unauthorized access.
• Accountability for Partners: Holding business associates and subcontractors to the same high standards.
• Alignment with NIST Guidelines: Incorporating recognized cybersecurity best practices.
• Stronger Penalties: Increasing consequences for negligence and repeated breaches.

These updates aren’t just technical fixes—they are essential steps to protect the lives and trust of patients. They aim to ensure healthcare organizations are prepared to face today’s increasingly sophisticated cyber threats.

When finalized, Regulated Entities must comply within 180 days of the effective date, with limited extensions.

Why This Matters

Cybersecurity in healthcare has traditionally focused on network defenses, often overlooking the need for data-centric security. At Thales, we protect data and all paths to it, ensuring comprehensive safeguards. Cyberattacks on PHI not only disrupt systems but also jeopardize patient safety and mental health. The HHS proposal addresses these vulnerabilities, offering a path to rebuild trust. With HIPAA penalties reaching up to $1.9 million annually and potential jail time for violations, adopting a data-centric security approach is essential for safeguarding sensitive information and ensuring compliance.

Call to Action: Your Next Steps

• Assess Security Gaps: Evaluate your current cybersecurity measures and identify vulnerabilities.
• Conduct Risk Assessments: Regularly review risks and align with NIST cybersecurity best practices.
• Implement Multi-Factor Authentication (MFA): Use MFA to secure access to sensitive systems.
• Encrypt Electronic Protected Health Information (ePHI): Protect all electronic patient data with encryption in transit and at rest.

Conclusion

Stronger cybersecurity measures are no longer optional—they are critical to safeguarding the trust and safety of patients. By adopting data-centric security practices and aligning with the proposed HHS updates, healthcare organizations can protect what matters most: the people behind the data.