Excerpt from Cyber Security News Article, Published on Jan 3, 2025.
The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), has proposed significant updates to the HIPAA Security Rule to address rising cybersecurity threats in the healthcare industry. The Notice of Proposed Rulemaking (NPRM) aims to enhance safeguards for electronic protected health information (ePHI), aligning with the Biden Administration’s broader initiatives to protect critical infrastructure and strengthen national cybersecurity.
Originally established in 1996, the HIPAA Security Rule provides national standards for safeguarding ePHI. It applies to a broad range of covered entities, including health plans, healthcare providers, and their business associates. However, the rapid evolution of cybersecurity threats has exposed vulnerabilities that the current rule no longer adequately addresses. The proposed changes are intended to modernize the rule, improve clarity, and implement stronger protective measures. Among the proposed updates are mandatory compliance with all implementation specifications, eliminating distinctions between “required” and “addressable” provisions. Entities would need to maintain detailed documentation of policies, procedures, and risk analyses while conducting annual compliance audits. Enhanced risk management measures would require the creation of technology asset inventories and network maps, as well as more comprehensive risk assessments.
In addition to these measures, the NPRM mandates encryption of ePHI both at rest and in transit, multi-factor authentication, and regular vulnerability scanning. Entities would also be required to establish contingency plans capable of restoring electronic systems within 72 hours after an incident and to develop detailed incident response protocols for suspected breaches. HHS has opened a 60-day public comment period to gather feedback from stakeholders, including healthcare providers, health plans, patients, and professional organizations. The proposed changes, if implemented, are expected to raise the cybersecurity baseline across the healthcare industry, ensuring robust protection of sensitive patient information while reinforcing trust in healthcare systems.
To delve deeper into this topic, please read the full article Cyber Security News.
