HIPAA security standard update sparks debate over cost, feasibility, patient safety
Editor's Note
The first federal overhaul of the HIPAA Security Rule in over a decade aims to address modern cybersecurity threats but has drawn sharp criticism from health systems over its cost and feasibility, according to a January 13 article in Axios.
According to the article, the proposed changes require HIPAA-covered entities to implement encryption, multifactor authentication (MFA), and regular security audits, alongside written protocols to restore critical data within 72 hours of a cyberattack. The Department of Health and Human Services (HHS) also plans to eliminate providers' discretion in addressing safeguards, estimating compliance costs at $9 billion in the first year and $6 billion annually from years two through five.
Citing HHS, Axios reports large security breaches increased 102% from 2018 to 2023, with ransomware and hacking affecting over 167 million individuals in 2023 alone. Proponents argue these updates are essential for protecting critical infrastructure and patient safety amid escalating cyberattacks, including the widely publicized Change Healthcare breach, which was partly attributed to inadequate MFA.
Critics cited in the article contend the updates impose unrealistic expectations and increased liability on providers. Smaller and financially constrained facilities, such as critical access hospitals, face significant hurdles in meeting requirements for annual assessments and system upgrades. Vendors also must comply with heightened standards, potentially adding to hospital liabilities if a vendor falls out of compliance. Other critics describe the standards as "idealistic," with health systems lacking resources to implement them effectively.
HHS has acknowledged the cybersecurity threat to patient safety and is offering financial and technical assistance from Microsoft and Google for critical access and rural hospitals. However, questions remain about enforcement under the next presidential administration.
Free Daily News
- HIPAA security standard update sparks debate over cost, feasibility, patient safety
- Wildfire smoke poses long-term health threats
- Health data inaccuracies cost millions, threaten care quality
- Healthcare employment up in December
- Hospital M&A trends report reveals financial distress, market reorganization
- Study: Patient care experience declined after private equity hospital acquisitions
- Report: Medical student distress rises amid overall healthcare burnout improvement
- Prosthetic insurance coverage disparities persist despite legal protections
- Study: GLP-1 drugs reduce surgical complications in diabetes patients
- United Surgical Partners agrees to $1.48M settlement in 401(k) fee lawsuit