The U.S. Department of Health and Human Services (HHS) is advancing new cybersecurity mandates for healthcare organizations to safeguard patient data against rising cyber threats. These proposed regulations aim to enhance data protection and respond to increasing incidents of large-scale data breaches.

The Office for Civil Rights (OCR) is spearheading the initiative, outlining requirements for multi-factor authentication, network segmentation, and mandatory data encryption. These measures are designed to prevent unauthorized access and limit the impact of any successful cyber intrusion. Additionally, the new rules would require healthcare entities to conduct risk assessments and maintain thorough compliance records.

This regulatory update is part of the Biden administration's broader cybersecurity strategy, updating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for the first time since 2013. The proposed changes target a wide range of healthcare providers, including hospitals, insurance companies, and nursing homes.

According to estimates provided by Deputy National Security Advisor Anne Neuberger, initial implementation costs are projected at $9 billion, followed by $6 billion annually for the subsequent four years. The proposal, set for publication in the Federal Register on January 6th, will initiate a 60-day public comment period before being finalized.