The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has proposed updates to the HIPAA Security Rule to enhance protections for electronic protected health information (ePHI) amid rising cybersecurity threats. The proposed changes include mandatory encryption of ePHI, multi-factor authentication, anti-malware protections, network segmentation, and regular vulnerability assessments. Organizations must also restore lost data within 72 hours, conduct annual compliance audits, and implement robust backup and recovery systems. These measures aim to address the surge in ransomware attacks, which have targeted 67% of healthcare entities in 2024, causing extended recovery times and financial losses. The World Health Organization (WHO) has underscored the critical nature of these threats, describing ransomware attacks on healthcare as "issues of life and death."

‍