Banner

News

Article

HHS proposes rule to strengthen cybersecurity in U.S. health care sector

Author(s):

Todd Shryock

Key Takeaways

  • HHS proposes new regulations to strengthen cybersecurity, requiring compliance from most healthcare providers and business associates.
  • Proposed changes include mandatory written documentation, updated definitions, and specific compliance timelines for ePHI protection.
SHOW MORE

Rule would modify HIPAA and require most providers to comply with more complex and thorough security guidelines.

HHS proposal would increase security burden on health care providers: ©Onephoto -stock.adobe.com

HHS proposal would increase security burden on health care providers: ©Onephoto -stock.adobe.com

HHS is proposing new regulations to bolster cybersecurity protections in the health care system that would require compliance by most providers. The proposed rule, issued through the Office for Civil Rights, would amend HIPAA to enhance safeguards for individual’s protected health information (PHI).

The proposed modifications would require health plans, health care clearinghouses, most health care providers, and their business associates to implement enhanced protections for electronic PHI. It would require that policies and procedures are in writing, reviewed, tested, and updated on a regular basis, and would better align standards to modern best practices in cybersecurity. Here are some of the proposals and clarifications:

  • Remove the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific, limited exceptions.
  • Require written documentation of all Security Rule policies, procedures, plans, and analyses.
  • Update definitions and revise implementation specifications to reflect changes in technology and terminology.
  • Add specific compliance time periods for many existing requirements.
  • Require the development and revision of a technology asset inventory and a network map that illustrates the movement of ePHI throughout the regulated entity’s electronic information system(s) on an ongoing basis, but at least once every 12 months and in response to a change in the regulated entity’s environment or operations that may affect ePHI.
  • Require greater specificity for conducting a risk analysis. New express requirements would include a written assessment that contains, among other things:
  1. A review of the technology asset inventory and network map.
  2. Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI.
  3. Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
  4. An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
  • Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.
  • Strengthen requirements for planning for contingencies and responding to security incidents. Specifically, regulated entities would be required to, for example:
  1. Establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours.
  2. Perform an analysis of the relative criticality of their relevant electronic information systems and technology assets to determine the priority for restoration.
  3. Establish written security incident response plans and procedures documenting how workforce members are to report suspected or known security incidents and how the regulated entity will respond to suspected or known security incidents.
  4. Implement written procedures for testing and revising written security incident response plans.
  • Require regulated entities to conduct a compliance audit at least once every 12 months to ensure their compliance with the Security Rule requirements.
  • Require that business associates verify at least once every 12 months for covered entities (and that business associate contractors verify at least once every 12 months for business associates) that they have deployed technical safeguards required by the Security Rule to protect ePHI through a written analysis of the business associate’s relevant electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate.
  • Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner. New express requirements would include:
  1. Deploying anti-malware protection.
  2. Removing extraneous software from relevant electronic information systems.
  3. Disabling network ports in accordance with the regulated entity’s risk analysis.
  • Require the use of multi-factor authentication, with limited exceptions.
  • Require vulnerability scanning at least every six months and penetration testing at least once every 12 months.
  • Require separate technical controls for backup and recovery of ePHI and relevant electronic information systems.
  • Require regulated entities to review and test the effectiveness of certain security measures at least once every 12 months, in place of the current general requirement to maintain security measures.
  • Require business associates to notify covered entities (and subcontractors to notify business associates) upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation.

Addressing the growing threat

Deputy Secretary Andrea Palm underscored the urgency of the initiative, citing the increasing frequency and sophistication of cyberattacks. “These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures,” Palm said in a statement. “This proposed rule is a vital step to ensuring that health care providers, patients, and communities are not only better prepared to face a cyberattack but are also more secure and resilient.”

OCR’s data shows that between 2018 and 2023, reports of large breaches surged by 102%, while the number of affected individuals skyrocketed by 1002%. In 2023 alone, more than 167 million individuals were impacted by breaches, setting a new record. The trend has been driven largely by hacking and ransomware, which have increased 89% and 102%, respectively, since 2019.

HHS officials stated that while the proposed changes are under consideration, the current HIPAA security rule remains in effect, and entities are urged to maintain compliance.

Public comments on the proposal will be accepted until March 7 in the Federal Register.

Related Videos
© Mathematica - The Commonwealth Fund
© Mathematica - The Commonwealth Fund
© Mathematica - The Commonwealth Fund
© Mathematica - The Commonwealth Fund
© Mathematica - The Commonwealth Fund
© Mathematica - The Commonwealth Fund
© Mathematica - The Commonwealth Fund
Related Content
Medical conference illustration: © mast3r – stock.adobe.com
January 7th 2025

Medical, health care and business conferences 2025 – a slideshow

Jay W. Lee
December 2nd 2024

Ep 45: Vaccine hesitancy with Jay W. Lee, MD, MPH, FAAFP

sdoh social drivers of health: © Satori Studio - stock.adobe.com
January 3rd 2025

More physicians are screening patients for social risks

Ep 44: Noncompete clauses with Emma Schuering, JD
November 18th 2024

Ep 44: Noncompete clauses with Emma Schuering, JD

Best of 2024: Physician politicians: Why doctors choose to serve -- and how you can too
December 27th 2024

Best of 2024: Physician politicians: Why doctors choose to serve -- and how you can too

Congress failed physicians...again: ©Philip - stock.adobe.com
December 23rd 2024

Physician groups to Congress: You failed