Strengthening Cyber Security in Healthcare, HHS Issued Notice of Proposed Rulemaking (NPRM) :New HIPAA Security Rule Updates
On January 6, 2025, the U.S. Department of Health and Human Services (HHS) issued a notice of proposed rule making (NPRM), stating significant updates to the HIPAA Security Rule. To strengthen protections for electronically protected health information (ePHI), this revision focuses on improving cyber security practices for better protecting the U.S. health care system, as there has been an increase in cases involving cyber-attacks.
The proposed rule addresses common non-compliance areas with the Security Rule, identified by thorough investigations from the Office of Civil Rights (OCR's). The rule also incorporates recommendations from the National Committee on Vital Health Statistics (NCVHS), and aligns with guidelines from agencies like Cyber Security and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST). This joint effort aims to strengthen the security of health information across the healthcare sector in the United States of America.
The proposed updates are also open to comments until March 7, 2025, using the RIN Number 0945-AA22. The comments should be submitted either through the Federal eRulemaking Portal or by Mail.
What are the Proposed Updates about?:
Technology Asset Inventory and Network Mapping: The proposed regulation mandates that the Healthcare organizations should be required to create and maintain an accurate, thorough written inventory and network map of their existing electronic information systems. By maintaining a comprehensive map of all technological assets that could impact the confidentiality, integrity, or availability of electronic protected health information (ePHI) is critical for having robust data protection. This inventory and map must include all processes involving the movement of ePHI both within and outside the regulated entity’s systems.
Strengthening Incident and Disaster Response Planning Requirements: Regular penetration testing, revisions, and development of data backup, disaster recovery, and incident response planning are essential for maintaining an effective contingency planning. Healthcare organizations should promptly report any significant security incidents to the Department of Health and Human Services (HHS) immediately. The new proposed rule is extremely beneficial, as it emphasizes proactive planning to minimize impacts of cyber-attacks. This shall accelerate the ongoing recovery efforts, and will reduce penalties of HIPAA violations.
Increased Specificity in Risk Analysis: The current HIPAA Security Rule requires covered entities to implement necessary policies and procedures to identify, prioritize, and apply relevant software patches throughout its electronic information systems that are used to create, receive, maintain, or transmit ePHI records or otherwise affect the confidentiality, integrity, or availability of ePHI records. The proposed rule, introduces more specific requirements for risk analyses, mandating a written assessment that documents details related to eight key specifications, including a review of the technology asset inventory and network map, identification of anticipated threats to ePHI, identification of potential vulnerabilities and contributing factors to electronic information systems, and an assessment of the potential impact of each identified threat. These requirements are distinct from the evaluation standard, which requires regulated entities to proactively assess the risks and vulnerabilities that may arise from changes to their environment or operations.
Enhancing Accountability and Verification for Business Associates' Technical Safeguards: The proposed regulation mandates that regulated organizations must ensure any entity that creates, receives, retains, or transmits Protected Health Information (PHI) on their behalf takes necessary actions to secure ePHI. Specifically, these covered entities should obtain written confirmation at least annually that their business associates have implemented the necessary Security Rule's technical safeguards, along with a written analysis of the business associate's pertinent electronic information systems. The rule would also apply to any business associates regarding their subcontractor business partners.
Security Updates and Patch Management: The proposed rule mandates regular security updates and patch management processes to address known vulnerabilities in information systems. Critical risk patches must be applied within 15 days, high-risk patches within 30 days, and other patches within a reasonable timeframe per the entity’s policies. These measures aim to protect the confidentiality, integrity, and availability of ePHI. Specific timing ensures timely updates and reduced risks to electronic information systems.
Compliance Audits and System Activity Reviews: Covered entities and business associates would be required to implement more robust audit controls and conduct regular reviews of system activity to detect and respond to security incidents promptly.
Mandatory Encryption and Authentication: The new updates emphasize on the importance of encryption for ePHI, both at rest and in transit. Additionally, there's a focus on implementing multi-factor authentication for remote access to information systems containing ePHI.
Some Additional Definitions and Clarifications of Security Requirements:
Adding definitions of “Technical Controls, Technology Assets, Risk, Multi-factor Authentication, Electronic Information Systems, Vulnerabilities and Threats”;
Implementing mechanisms encryption of ePHI at rest and in transit;
Implementing network segmentation;
Performing vulnerability scanning at least once every six months and penetration testing at least once every 12 months;
Practicing the deployment of anti-malware protection;
Performing removal of extraneous software from electronic information systems;
Assessing disablement of network ports in accordance with a regulated entity’s risk analysis;
Auditing backups and recovery of ePHI.
Importance of the Proposed Changes:
The proposed updates to the HIPAA Security Rule represent a critical step toward strengthening the protection of electronically protected health information (ePHI) and mitigating risks to the U.S. healthcare system from increasing cyber-attacks.
Protection of Patient Data: The updates enhance safeguards for ePHI, reducing vulnerabilities and bolstering patient trust by prioritizing data confidentiality, integrity, and availability.
Greater Compliance Clarity: The inclusion of clear guidelines for risk analysis, incident reporting, and business associate accountability simplifies adherence to HIPAA requirements, making compliance more accessible and consistent.
Alignment with Cybersecurity Practices: The alignment with industry standards such as NIST and CISA frameworks ensures healthcare organizations could effectively address any evolving threats by leveraging measures like mandatory encryption, multi-factor authentication, and regular vulnerability assessments.
Need Compliance with the New Rules ?
If you are looking to become compliant with these new rules, don’t hesitate to contact us for a free compliance planning session where we can produce a HIPAA Compliance plan for your organization.
Sources:
Rule Document: Federal Register :: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information
Submit Comments to the Proposed Rule: https://www.regulations.gov
