New Cybersecurity Updates for the HIPAA Security Rule
The Health Insurance Portability and Accountability Act (HIPAA) has long been a proponent of robust cybersecurity practices in healthcare organizations. The release of the proposed rulemaking to Strengthen the Cybersecurity of Electronic Protected Health Information (ePHI) under the Security Rule is a significant step in this direction.
The much-anticipated proposed rulemaking to modify the HIPAA Security Rule will be officially published in the Federal Register on January 6, 2025. Following this publication, there will be a 60-day public comment period. After that, a revised version is usually released and subsequently becomes law.
Read on to learn more about the significant changes in HIPAA’s proposed cybersecurity measures.
Focus on Strengthening ePHI Security
At the core of HIPAA’s Privacy and Security Rules is the intent to safeguard patient health information (PHI) in any format from unauthorized access while ensuring the confidentiality and integrity of this data.
Organizations must implement more substantial measures to protect their data as cyberattacks grow more sophisticated. The recommended cybersecurity strategies emphasize that prioritizing data security and enhancing the protection of ePHI not only builds patient trust but also helps healthcare organizations maintain compliance.
While it is difficult to determine if the incoming Administration and HHS leadership will support the new rule becoming law, cybersecurity is a bipartisan issue, and many of the changes are consistent with the increasing cybersecurity threats healthcare organizations face.
The proposed rulemaking establishes these justifications for a new rule, marking the first update to the HIPAA Security Rule since 2013.
- Strong security standards are essential to protecting the confidentiality, integrity, and availability of ePHI and ensuring quality and efficiency in the healthcare system.
- The healthcare environment has changed since the Security Rule was last revised and will continue to evolve.
- Regulated Entities’ compliance with the requirements of the Security Rule is inconsistent.
- It is reasonable and appropriate to strengthen the Security Rule to address the changes in the healthcare environment and clarify the compliance obligations of regulated entities.
For the first time, the proposed rulemaking also notes the need for small and rural healthcare providers to implement strong security measures. It also highlights the need to develop standards for ePHI through an ANSI Accredited Standard Setting Organization, a standard that has not been previously developed.
HIPAA’s New Cybersecurity Measures: What You Need to Know
The Security Rule is being revised to address the inconsistencies in how regulated entities comply with the requirements and to enhance the protection of sensitive patient information. These proposed updates aim to align the reality of today’s healthcare environment with more effective standards and protocols, enabling covered entities to address the complexities of the current cybersecurity landscape. Below are some of the key changes.
Employing Multi-Factor Authentication
Introducing the definition of multi-factor authentication (MFA) and its use, MFA has evolved since the 2005 Rule was published and is considered a required authentication standard to protect against threat actors, ransomware, and other incidents.
Organizations will be required to implement:
- Written Policies for verifying the identities of users and devices before they access electronic systems.
- Utilizing MFAs for all system logins.
- User Verification is used for all system logins to confirm that users are who they claim to be.
- Privilege Changes will also apply MFA for any actions that change a user’s permissions, especially if those changes could affect the confidentiality, integrity, or availability of ePHI.
Don’t underestimate the impact of multi-factor authentication! Read our blog post to learn more.
Security Risk Analysis & Data Governance
The new rule includes conducting and maintaining an accurate and thorough inventory of technology assets and a network map, which will be updated annually. This is an essential step in knowing what ePHI must be protected!
While the original Security Rule did not mandate this, early on, we recognized that understanding where ePHI resources are in your organization is vital for effective security. Since 2005, PrivaPlan has championed the critical role of Security Risk Analyses (SRAs) and ePHI inventories, integrating these data maps into our risk analyses framework and showing organizations how to perform this analysis in our HIPAA Privacy & Security Toolkit.
Other security changes include:
- Risk Level Matrix: Evaluate and assign risk levels to various threats, ensuring that these evaluations are reviewed and updated annually to reflect changes in circumstances or new information.
- Patch Management: Specific patch management procedures and actions to effectively upgrade systems when a patch or security weakness is identified.
- Written Risk Management Plans: Establish and implement a written risk management plan. This change makes it clear that a written risk management plan is needed in addition to a risk analysis! The Office for Civil Rights already asks for this when investigating a Security Breach or incident, but this now becomes a requirement.
- Privileged Account Access: Improve privileged account access protocols to ensure better network infrastructure security, including establishing effective network segmentation to limit access and exposure, systematically removing unnecessary software that could pose security risks, and managing ports diligently to prevent unauthorized access.
Workforce Standards & Training
Tighter standards for workforce clearance and termination have been outlined. For example, a proposed standard that “A workforce member’s access must be terminated as soon as possible but no later than one hour after the employment of, or other arrangement with, a workforce member ends.”
Security awareness training must be conducted annually and should include the term “social engineering,” which encompasses training on phishing and smishing threats.
Disaster Planning & Security Response Testing
Healthcare organizations must now include annual security incident response testing and disaster planning in their requirements to enhance cybersecurity.
Establishing and implementing tighter contingency, backup, and disaster recovery response and management, including “Establish (and implement as needed) written procedures to restore loss of the covered entity’s or business associate’s critical relevant electronic information systems and data within 72 hours of the loss.”
Business Associates
Data breaches and cyberattacks in the healthcare sector are commonplace, and the following measures aim to keep third-party providers accountable.
Business Associates are a person, contractor, or entity that creates, receives, maintains, or transmits ePHI on behalf of a covered entity. The business associates is responsible for protecting ePHI that they receive from a covered entity. A business associates agreement (BAA) outlines the responsibilities of both parties in safeguarding ePHI.
Business Associates will now be required to comply with enhanced verification of their cybersecurity measures. Once a year, they will need to provide written verification confirming the deployment of their technical safeguards. This confirmation should include an analysis of relevant electronic systems assuring the confidentiality, integrity, and availability of the ePHI. Additionally, an authorized individual must certify the accuracy of this analysis.
Business associates will also need to report to the covered entity within 24 hours if their contingency plan is activated under HIPAA’s emergency response provisions (§ 164.308(a)(13)).
Physical Security Clarifications
A facility’s physical security is also addressed in this update. Physical security measures help protect sensitive health information by securing physical spaces where ePHI is stored or processed.
This rulemaking contains clarifications and specifications for the physical security standards of a facility, such as identifying door access systems to restrict entry to authorized personnel and deploying surveillance systems to monitor the facility.
The clarified standards reflect a growing focus on physical security as a critical component of data protection, encouraging healthcare organizations to maintain both technical and environmental safeguards as part of their compliance strategy.
Ensuring the Security of ePHI in Real-Time
The update also provides a better understanding of real-time monitoring systems and ePHI activity, asking covered entities and business associates to continuously monitor activity in electronic information systems. With the deployment of technology assets and technical controls, real-time monitoring measures will help mitigate risks, protect sensitive data, and maintain compliance.
Summary
HIPAA’s cybersecurity measures promote compliance while prioritizing the security of ePHI. At PrivaPlan, we believe that adopting these practices is a proactive step toward building a resilient and secure data environment in response to the evolving cybersecurity challenges in healthcare.
Need help safeguarding your ePHI?
PrivaPlan Associates delivers an in-depth security risk analysis tailored to your organization. Our team will pinpoint vulnerabilities, offer targeted solutions, and steer you through compliance.