HHS Proposes Major Overhaul of HIPAA Security Rule in the Wake of Change Healthcare Breach
The U.S. Department of Health and Human Services (HHS) recently proposed the most significant changes to the HIPAA Security Rule in over a decade. The new rules come in the wake of the Change Healthcare breach, which exposed the electronic personal health information of about 100 million Americans and disrupted aspects of the healthcare delivery system for months.
The proposed rules aim to minimize the probability of such incidents. Proposed changes include enhanced documentation and assessment, requiring regulated entities to maintain detailed compliance records, conduct more frequent risk analyses and perform annual audits. New operational safeguards include revoking access to electronic protected health information (ePHI) within 60 minutes of an employee’s departure and maintaining ePHI backups no more than two days old. Additionally, all ePHI must be encrypted. The most significant change in the proposed rules is the shift from “addressable” security controls to “required.”
Martin Fisher, long-time healthcare security executive and founder of security advisory firm Kiraso Partners, expressed optimism that the rules could help improve the healthcare industry’s security. “It’s good to see that HHS is making headway on the new rules. Change in healthcare is the elephant in the room here. That broke the system for months,” said Fisher.
The requirement to encrypt all ePHI could be one of the thorniest controls healthcare CISOs will be mandated to have in place, as well as maintaining comprehensive technology asset inventories and network maps to track data movement within their systems. “Encryption requirements have always been suggested,” said Kurt Osburn, director of risk management and governance at NCC Group. “But now they will be enforced,” he said.
Another challenge will be implementing multifactor authentication, MFA. “MFA for medical devices will be a problem because many [legacy medical systems and devices] do not support sophisticated connectivity controls. Entities that use these devices will need to lock them behind sophisticated security (firewalls, network segmentation, etc.) and require MFA to access the environments where they are operating,” said Osburn.
These measures are essential for identifying vulnerabilities in healthcare environments and successfully protecting ePHI. The proposal also mandates that regulated entities conduct regular risk analyses and maintain real-time monitoring of activities that could jeopardize ePHI security.
For Many Healthcare Organizations, a Significant Investment Into Cybersecurity is on the Horizon
For CISOs, this means reevaluating existing security protocols and potentially significant investments in new technologies to meet compliance standards. The proposed rule also emphasizes the need for ongoing training and awareness programs to keep staff informed about evolving threats and best cybersecurity practices. Many healthcare organizations operate under tight budgets, making it challenging for CISOs to secure funding for organization-wide encryption, multifactor authentication and regular vulnerability assessments. The pressure to allocate resources effectively while managing existing cybersecurity threats adds another layer of difficulty.
With the new compliance requirements comes the need for ongoing staff training to ensure all employees understand their roles in maintaining security protocols. Developing effective training programs can be resource-intensive, yet it is crucial for minimizing human error, which remains a leading cause of data breaches.
“The current rules are much more focused on risk assessment and controls based on that risk,” said Michael Farnum, advisory CISO at technology services provider Trace3. “The new rules are more prescriptive and mandate specific security controls that organizations must have in place. Should the new rules become adopted, more foundational controls such as encryption and multifactor authentication will be expected to be implemented, regardless of the organization’s specific risk profile,” Farnum said.
With the change in administration, there’s a chance the rules get shelved or altered. “The incoming administration may not prioritize this,” said Fisher. “And a challenge with the public comment period is that special interest groups will get very active and try to change things,” he said.
Likewise, if the rules don’t get sidelined, others express concern that the controls will be difficult to get into place in time. “I think getting some of these controls in place by the end of the year would be a heavy order. I would expect several extensions to get some of this in place,” Farnum said.
There’s also the matter of covered healthcare organizations paying for the increased security. “All of these rules require money,” said Osburn. “Technology in medical environments has always been the last priority for spending dollars. The money has always been for medical staff, research and new building expansions. Upgrading or securing technology requirements are most often met with the sentiment: “We should do this, but maybe later. The rules are both reasonable and attainable if you have enough funding, and that is going to be the issue. Where will the money come from,” he said.
