Cyber crackdown could cost hospitals billions
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Sarah Grillo/Axios
Hospitals are bracing for a sweeping rewrite of federal health privacy rules that could result in more penalties for cybersecurity breaches and add billions of dollars in costs.
Why it matters: Spurred by the massive Change Healthcare hack in 2024, the changes reflect a growing belief that at least some health care breaches are preventable and that hospitals should be required to meet baseline security standards.
The big picture: Hospitals and other health providers are increasingly fighting cyberattacks on outdated systems that put valuable patient data at risk and threaten serious disruptions of care.
- The update of the Health Insurance Portability and Accountability Act, launched by the Biden administration, is the biggest overhaul of the landmark privacy law since 2013 and is due to be finalized as early as this month.
- Patient data would have to be secured with safeguards such as multi-factor authentication, the lack of which was a key failure cited in the Change hack.
- It would also mandate encryption, threat scanning and security plans including procedures to restore systems within 72 hours.
By the numbers: Hospitals would have only about eight months to comply at a cost of roughly $9 billion in its first year and $6 billion a year afterward, per the Department of Health and Human Services.
- A key feature is that revisions would greatly expand what regulators can enforce as HIPAA violations and put organizations on the hook for $68,000 in civil penalties per violation.
More than 100 organizations led by the College of Healthcare Information Management Executives called on the Trump administration to withdraw the proposal, saying it would "place substantial new financial burdens on health care providers and includes unreasonable implementation timelines."
- Some requirements in the proposed rule, such as restoring systems within 72 hours, are impractical, said John Riggi, cybersecurity adviser for the American Hospital Association. "No organization can restore safely within 72 hours."
- The revamped rules also don't take into account that cyberattacks are often launched by government-backed foreign actors and should be viewed as a form of cyber warfare, Riggi said.
- "How can any smaller or less-resourced, private entity be expected to defend against that?" Riggi said.
HHS didn't respond to requests for comment.
Yes, but: Many regulators and many cybersecurity experts counter that most health care breaches stem from basic security failures rather than unavoidable sophisticated attacks.
- In the proposal, HHS said the overhaul was designed to address "common deficiencies" federal regulators identify during HIPAA investigations.
- "This is not new stuff if you're paying attention at all to your data," said Lisa Pierce Reisz, a lawyer at the firm Epstein Becker Green. "The HIPAA security rules are, frankly, catching up to what should be best practices for any type of industry."
What to watch: Industry groups still are trying to persuade the administration to narrow requirements, lengthen the timelines for complying and help reduce associated costs.
