Upcoming HIPAA Security Rules Require Stricter Cyber Controls

Back to Top
leadership team 2024

By Michelle Drolet

Founder & CEO

Michelle is a prominent leader in data security preparedness, renowned for her extensive expertise i

Read More

4 Minute 53 Second Read

January 22, 2025

The US Department of Health and Human Services (HHS), through its Office of Civil Rights (OCR), is proposing an update to the “Security Rule” of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The proposed Security Rule requires entities like healthcare providers, business associates, and health plans to improve cybersecurity practices. This is the first update the Security Rule has received since 2013, and it’s mostly driven by escalating cyberattacks resulting in compromised patient records and ransomware incidents.

The proposed rule emphasizes the need for updated cybersecurity controls, policies, and procedures to appropriately mitigate internal and external threats.

Why Is HHS Updating The HIPAA Security Rule?

Several reasons point to why HHS is planning to update its HIPAA Security Rules:

  • The OCR has noted a surge in large data breaches. Between 2018 and 2023, large data breaches grew by 102%, and the number of individuals affected grew by 1002%. Since 2019, hacking and ransomware incidents have grown by 89% and 102%, respectively.
  • The growing frequency and sophistication of cyberattacks poses a direct and major threat to patient safety. Cyberattacks on healthcare delivery organizations have led to disruptions in medical services, delays in medical procedures, and an increase in patient mortality rates.
  • The growing reliance of the healthcare sector on interconnected digital devices is also expanding the attack surface, increasing the exposure of healthcare organizations to cyber risks.

The proposed rules also align with Cybersecurity Performance Goals set by the HHS Healthcare and Public Health Critical Infrastructure Sector. HHS views this as a vital step to ensuring that healthcare providers, patients, and communities become more secure and resilient.

What Are The Major Changes In The Proposed HIPAA Security Rule?

Summarized below are some noteworthy changes in the HIPAA Security Rule update:

Standardization in rules: Current HIPAA rules are divided between “required” and “addressable” rules. The required rules, as the name suggests, are mandatory, while the addressable rules are only applicable under specific circumstances—organizations can self-assess and decide whether those rules are applicable to them or not. In the proposed HIPAA Security Rule, the OCR is looking to explicitly codify what must be done instead of leaving it vaguely open to interpretation.

Comprehensive asset inventory: Covered entities will be required to create and maintain an accurate and thorough written technology asset inventory of its electronic information systems and all the technology assets that might affect the confidentiality, integrity, and availability of ePHI. In addition, a network map must illustrate the movement of ePHI as it enters and exits information systems and is accessed from outside of such systems. Both the asset inventory and network map must be reviewed and updated every 12 months.

Risk assessments: While the current rule already requires regulated entities to conduct a risk assessment, the proposed rule calls for more comprehensive specifications including identifying all reasonably anticipated threats and potential vulnerabilities; documenting security measures; determining the risk level and the potential impact of identified threats; assessing the risks to ePHI including those posed by business associates.

Risk-based approach: Covered entities must document and implement a risk management plan to reduce all risks to ePHI and those identified during analysis. Entities are also required to review the written management plan at least once annually and update it in accordance with prioritized risks.

User account management: The proposed rule specifies that companies must implement written policies and procedures that would reduce the risks posed by insider threats and managing user accounts more tightly. It specifically requires that organizations focus on managing terminated user accounts in a timelier manner so that former staff members do not retain access to data upon termination.

Security audits and training: The OCR proposes that organizations must perform and audit their adherence to the HIPAA Security Rule at least once every 12 months. Regulated entities must regularly educate their workforce on the threats to ePHI, the right way of using tools the organization has implemented, and the specific procedures they must follow to ensure ePHI remains protected.

Vendor risk management: The draft states that organizations specify stringent cybersecurity measures in business associate agreements and contracts. The contract must specifically require entities to notify their business associates within 24 hours of activating any contingency plans. Business associates are also required to submit annual written analyses and certifications of compliance with technical safeguards, conducted by qualified cybersecurity professionals.

Contingency planning: The OCR has proposed extensive guidelines around contingency planning such as having a written contingency plan consisting of written policies and procedures, creating a prioritized list of critical assets that would help regulated entities determine the order of restoration, establishing and implementing procedures for backups, and creating disaster recovery procedures to restore critical IT systems within 72 hours of a loss.

Penetration testing: The suggested rule also requires that regulated entities encrypt all ePHI (with some exceptions), deploy anti-malware protections on all electronic systems that create, receive, maintain, or transmit ePHI, use multi-factor authentication, implement network segmentation to limit ePHI access to only authorized workstations, and conduct vulnerability scanning at least once every six months and penetration testing at least once every 12 months.

The proposed HIPAA Security rule has been published in the Federal Register and is open for public comments and feedback by March 7, 2025. Once public comments are reviewed and considered, a final rule is expected to be published sometime in late 2025. Covered entities will have 180 days to comply with the new rules once they are in effect.

Final Thoughts

The new HIPAA rule is just around the corner, and it’s advisable that organizations kick off their planning and implementation efforts. Smaller healthcare organizations may lack the budget, bandwidth, or resources to implement these changes. In such situations, it may be beneficial to partner with an experienced third-party service provider who can assist in meeting these complex requirements or consider hiring a part-time virtual Chief Information Security Officer (vCISO) as a viable option.

 

This article was originally posted on Healthcare Business Today >

Related Insights

View All Insights