On December 27, 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to amend the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This proposal follows a series of high-profile cyberattacks on hospitals and healthcare networks that have exposed millions of patients' sensitive medical records, disrupted services, and put lives at risk.
Cyberattacks on healthcare systems in 2024 reached unprecedented levels of severity, targeting institutions ranging from small clinics to major insurance providers. The Salt Typhoon ransomware attack in September was among the year’s most damaging breaches. This group crippled a large U.S. healthcare network, exposing millions of patient records and forcing hospitals to suspend digital operations. After ransom demands were refused, the attackers leaked highly sensitive medical details — including mental health treatments and reproductive health procedures — on the dark web. Patients, some of whom had undergone substance abuse programs or sensitive surgeries, found their private information circulating online.
The proposed updates aim to address escalating cybersecurity threats in the healthcare sector by strengthening protections for electronic protected health information (ePHI). These changes seek to modernize the 28-year-old legislation to align with today’s cyber landscape, dominated by ransomware, phishing attacks, and data breaches. Key proposals include:
This NPRM is part of the Biden administration’s broader initiative to bolster the nation’s cyber defenses after a year of devastating attacks on healthcare organizations. The sector has increasingly become a prime target for hackers due to its vast repositories of sensitive personal and medical information, which are highly lucrative on the dark web.
Healthcare organizations will face tougher reporting requirements and will be expected to demonstrate proactive risk management, shifting the focus from reacting to breaches to preventing them. The administration’s proposal aligns with global efforts to improve healthcare cybersecurity, such as the European Union’s NIS2 Directive, which mandates cyber resilience for critical sectors, including healthcare.
When hospitals are hacked, patients suffer. Delayed treatments, exposed private information, and suspended operations put lives at risk. Hospitals hit by ransomware face a critical decision: pay the ransom or attempt to restore systems independently. Either choice has consequences, with ransomware attacks often forcing emergency room closures, appointment cancellations, and the loss of vital patient care.
The proposed updates to the HIPAA Security Rule represent a turning point for the healthcare industry, reframing cybersecurity as a fundamental component of patient care rather than just an IT issue.