HHS Proposes HIPAA Security Rule Update to Strengthen Healthcare Cybersecurity
HIPAA-covered entities and their business associates are facing much tougher cybersecurity requirements, should the recently proposed HIPAA Security Rule update be enacted. A draft copy of the proposed rule โ Health Insurance Portability and Accountability Act Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information – was released by the U.S. Department of Health and Human Services (HHS) last week and a Notice of Proposed Rulemaking (NPRM) will be published in the Federal Register on January 6, 2025.
The HIPAA Security Rule is more than two decades old, and there has not been a major Security Rule update since the HIPAA Omnibus Rule of 2013 which implemented changes required by the HITECH Act. A lot has changed in the past 10 years, including locations where healthcare is provided and significant changes in technology. What has also changed is the frequency and sophistication of cyberattacks and the number of large healthcare data breaches.
In 2013, 277 large data breaches were reported to OCR involving 7,018,839 healthcare records, with only 29 of those data breaches due to hacking/IT incidents. Fast forward 5 years to 2018 and there were 369 large data breaches involving 15,236,139 healthcare records, including 165 hacking/IT incidents. Five years on in 2023, 747 large data breaches were reported involving 168,114,231 healthcare records, including 606 hacking/IT incidents.
Thatโs a 102% increase in hacking incidents between 2018 and 2023 and a 1002% increase in breached records. Since 2019, large data breaches caused by hacking incidents have increased by 89% and ransomware-related data breaches have increased by 102%. These figures show that the current HIPAA Security Rule is no longer effective at preventing data breaches, and if past HIPAA audits are anything to go by, many HIPAA-regulated entities are not fully compliant with the HIPAA Rules.
The HHS has taken steps to improve healthcare cybersecurity by developing cybersecurity performance goals (CPGs) specific to the healthcare sector. Those CPGs were issued in January 2024 and consist of high-impact measures for improving cybersecurity, although they are voluntary. The proposed HIPAA Security Rule update includes some of the CPG cybersecurity measures and incorporates the latest cybersecurity guidelines, best practices, procedures, and processes. The terminology of the HIPAA Security Rule has also been modified to bring the Rule up to date, with changes also made to address court decisions that have affected OCRโs enforcement of the HIPAA Security Rule.
The proposed rule also provides greater clarity and more specific instructions to help with compliance, including what is required from a risk analysis โ one of the most commonly identified areas of non-compliance with the HIPAA Security Rule – and time frames have been added for compliance with certain elements of the HIPAA Security Rule. OCR has also largely removed the โaddressableโ implementation specifications, with almost all implementation specifications now required.
The proposed update runs to 393 pages, some of the key p[provisions of which are:
- Security policies and procedures must be in writing and be reviewed and updated on a regular basis
- Internal audits of compliance with the HIPAA Security Rule must be conducted by each regulated entity at least every 12 months
- The effectiveness of security controls must be tested at least annually, with penetration tests conducted at least every 12 months
- Vulnerability scans must be conducted at least every 6 months
- Multifactor authentication must be implemented, with limited exceptions
- Encryption must be used for all ePHI at rest and in transit, with limited exceptions
- Multifactor authentication must be implemented, with limited exceptions
- Regulated entities must use network segmentation
- Anti-malware protection must be deployed
- Extraneous software must be removed from electronic information systems
- Network ports not in use must be disabled
- Separate technical controls are required for the backup and recovery of ePHI and relevant electronic information systems.
- Contingency and security incident response planning has been strengthened, including the requirement to have a written plan to restore data and information systems within 72 hours.
- A technology asset inventory and a network mapย must be created and maintained on an ongoing basis, and at least every year, that shows the movement of ePHI throughout information systems.
- The risk analysis requirement is now more detailed and states what the risk analysis must entail, including a review of the technology asset inventory and network map, identification of all reasonably anticipated threats, vulnerabilities, and pre-disposing conditions, and an assessment of the level of risk that each poses.
- Business associates and their contractors must verify compliance with the HIPAA Security Rule at least annually.
- Business associates must inform their covered entities (and subcontractors inform their business associates) of the implementation of their contingency plan within 24 hours.
The NMPR will be followed by a 60-day comment period, after which the fate of the HIPAA Security Rule update will lie with the incoming Trump-Vance administration, which will either review the comments, make necessary adjustments, and issue a final rule or the update to the Security Rule could be shelved, as was the case with the Privacy Rule update proposed by the previous Trump administration. Under the Biden-Harris administration, OCR failed to issue a final rule implementing the Privacy Rule changes during the 4-year term.
The draft and formal notice of proposed rulemaking can be viewed in full here, and a summary of the key provisions is available on the HHS website.