HHS’s Proposed HIPAA Security Rule Updates

Report by FortifyData

The U.S. Department of Health and Human Services (HHS) hasn’t updated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule since 2013! That was the Omnibus Rule, which focused on Business Associates. In fact, there’s not been a sweeping change for the Security Rule since its inception in 2003. Recognizing this HHS has released proposed updates on the HIPAA Security Rule. These updates are aimed at equipping healthcare organizations with more robust tools and practices to safeguard ePHI. Many will see the shift in language in use in the proposed rules from ‘addressable’ to ‘required’ when in comes to the security controls.

Read the report below or Download the PDF.

Cyberattacks on healthcare organizations are escalating, with threats to electronic protected health information (ePHI) becoming increasingly sophisticated.  Yet, the U.S. Department of Health and Human Services (HHS) hasn’t updated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule since 2013!  That was the Omnibus Rule, which focused on Business Associates.  In fact, there’s not been a sweeping change for the Security Rule since its inception in 2003.

Recognizing this HHS has released proposed updates on the HIPAA Security Rule. These updates are aimed at equipping healthcare organizations with more robust tools and practices to safeguard ePHI. Many will see the shift in language in use in the proposed rules from ‘addressable’ to ‘required’ when in comes to the security controls. At FortifyData, we are committed to helping hospitals and clinics understand and navigate these proposed changes to bolster their cybersecurity defenses effectively.

critical infrastructure sectors

The proposed rules include specific control requirements, marking a significant shift from the existing framework. This white paper provides an overview of the changes, with practical insights into how FortifyData can support your organization in meeting these requirements.

Why the Changes Are Necessary

The healthcare sector faces unique challenges in cybersecurity. With sensitive patient data at risk, breaches not only compromise privacy but also undermine patient trust and patient care.

Cost is also a core concern on two fronts – the lucrative cost to sell compromised patient records on the dark web and the increasing cost of a data breach in healthcare.

According to the 2024 IBM Cost of a Data Breach study, “Healthcare breaches cost the most. For the 9th year in a row, healthcare organizations had the highest cost of a breach – nearly $6.5 million on average (over 60% more than other industries in the study).”

Healthcare records contain lots of valuable information and provide targeting for individual blackmail and ransoms, and they can fetch higher prices per record – from $300 – $1,000 per record – once obtained and then posted for sale on the dark web.

The proposed updates aim to:

  1. Address gaps in the current HIPAA Security Rule.
  2. Provide clear and actionable guidance for managing risks.
  3. Standardize security practices across the industry.
  4. Strengthen accountability for covered entities and business associates.
When it comes to cyber attacks you can see how some of these new requirements will help to reduce the source from the network, email and other endpoints. 70% of breaches in 2023 linked to vulnerable network servers according to research from HIPAA Journal.

Key Proposed Controls and Requirements

What makes the new proposed changes unique is that there are several specific control requirements planned.  This is highly unusual for HHS, as they’ve never wanted to be so specific.  They realize, though, that this allows broad interpretation and, often times, bad security practices while remaining compliant.  The specific controls are designed to improve the security posture of covered entities and their business associates. Let’s review the proposed changes:

1. Mandatory Technology Asset Inventory

Organizations must develop and maintain a comprehensive inventory of technology assets, including all devices, software, and systems handling ePHI. This inventory must:

  • Be updated at least annually or whenever significant changes occur.
  • Include details such as device types, locations, and the ePHI they handle.
  • Serve as a foundation for managing vulnerabilities and risks associated with technology assets.

2. Network Mapping

The proposed rules call for a detailed network map illustrating ePHI flows within your organization’s systems. This map must:

  • Identify all data storage locations, transmission paths, and endpoints.
  • Be updated regularly to reflect changes in infrastructure.

3. Specific Risk Analysis Requirements

Organizations must conduct detailed risk analyses, including:

  • Identifying potential threats and vulnerabilities to ePHI.
  • Assessing the likelihood and impact of each risk.
  • Prioritizing risks based on their severity.

4. Elimination of Addressable Specifications

All controls previously categorized as “addressable” will now be mandatory, with justifications for non-compliance requiring thorough documentation.

5. Policy and Procedure Documentation

The proposed rules emphasize written policies and procedures. Organizations must:

  • Maintain comprehensive documentation of Security Rule policies.
  • Regularly update documentation to reflect changes in threats or operations.

6. Encryption and Authentication Standards

Stronger encryption and authentication measures of ePHI are required, including:

  • Encrypting data at rest and in transit.
  • Implementing multi-factor authentication (MFA) for accessing high-risk systems.

7. Defined Timeframes for Compliance

Organizations must adhere to specific timelines for implementing and reviewing controls. For example:

  • Asset inventories and network maps must be updated at least annually.
  • Risk analyses must be conducted regularly.

8. Access Management Controls

Access to ePHI must be tightly controlled, including:

  • Assigning unique identifiers to users.
  • Regularly reviewing and updating access permissions.
According to the 2024 Verizon DBIR report, ‘Miscellaneous Errors’ from insiders spiked as a leading source of compromise after steady decline for years. Tighter access management is needed to reduce this breach source.

9. Ongoing Monitoring and Auditing

Continuous monitoring and periodic audits are critical. Organizations must:

  • Monitor systems for unauthorized access and anomalies.
  • Conduct regular audits to evaluate security practices.
Proposed ChangeHow FortifyData Helps Meet Requirements
Mandatory Technology Asset InventoryProvides automated asset discovery and tracking, ensuring your inventory remains current and accurate with minimal manual effort.
Network MappingContinuously identifies new assets and changes to the environment, allowing you to better address this need.
Specific Risk Analysis RequirementsSimplifies risk analysis by identifying and prioritizing risks through automated assessments, risk classification, and risk prioritization, empowering your team to focus on mitigation strategies.
Elimination of Addressable SpecificationsEnsures full compliance by guiding your organization through the implementation of required controls and documenting efforts for auditors.
Policy and Procedure DocumentationCyber GRC module includes compliance capabilities that centralize and manage documentation, reporting on gaps by policy and streamlining compliance efforts.
Encryption and Authentication StandardsTake into account your MFA and encryption policies to automatically reduce risk associated with related encryption and MFA specific controls.
Defined Timeframes for ComplianceAutomate compliance with reminders, scheduling and compliance updates through our platform, ensuring timely (and ongoing) compliance with the proposed rules
Access Management ControlsSimplify user tracking and permissions management with full RBAC settings within the FortifyData platform, reducing the risk of unauthorized access. In future versions of FortifyData, we will have integration with Active Directory to monitor user access privileges.
Ongoing Monitoring and AuditingFortifyData provides real-time monitoring and audit capabilities to identify and address issues proactively.

Implications for Hospitals and Clinics

The proposed changes will impact healthcare organizations significantly. Key implications include:

  • Increased Compliance Burden: Organizations will need to allocate resources to meet new requirements, including budget, personnel, technology, and training.
  • Enhanced Accountability: Emphasis on documentation and mandatory controls will heighten accountability for security practices.
  • Improved Security Posture: By adopting these measures, hospitals and clinics can reduce risks and build patient trust.

Preparing for the Proposed Changes

FortifyData recommends taking proactive steps to prepare for these changes:

  1. Conduct a Gap Analysis:
    • Compare your current practices with the proposed requirements.
    • Identify areas needing improvement.
  2. Develop a Compliance Roadmap:
    • Plan for implementing new controls and updating existing ones.
    • Use FortifyData’s platform to track progress and maintain compliance.
  3. Invest in Training and Awareness:
    • Educate staff about the proposed changes and their roles in compliance.
  4. Engage with Stakeholders:
    • Involve leadership, IT teams, and legal counsel in planning efforts.
  5. Participate in Public Comment:
    • Review the NPRM and submit feedback to HHS during the comment period.

Other Considerations - TPRM

Third-party attack vectors also continue to grow. While the HIPAA security rule includes actions like having a Business Associate Agreement (BAA) to “Comply with the HIPAA Security Rule’s administrative, physical, and technical safeguards, ” “Report security incidents and breaches to the CE,” and “Ensure that any subcontractors they use that handle PHI also have BAAs in place and comply with HIPAA,“ business associates, or third parties, continue to be an entry point to healthcare organizations or the source of healthcare patient data breaches.

 

It’s clear, while well-intentioned, this isn’t reducing the growth of third-party attack vectors in healthcare. “35% of third-party breaches affected healthcare organizations with application security presenting the broadest attack surface, according to a new cybersecurity analysis of the largest healthcare companies.”

 

The WHO reports that supply chain attacks tripled in Q1 2024 compared to Q1 2023. Expect this to climb as more software is used and software supply chains continue to be exploited through vulnerabilities in code from an open-source library or other software provider embedded in a software package or technology a healthcare provider is using.

Towards A More Secure Healthcare Industry

The proposed updates to the HIPAA Security Rule represent a crucial step in enhancing cybersecurity across the healthcare sector. By addressing gaps in the current framework and introducing specific controls, HHS aims to better protect ePHI and patient trust.

FortifyData is here to help hospitals and clinics navigate these proposed changes, providing solutions that simplify compliance and strengthen your security posture. Why wait to improve cybersecurity until it’s required? You’ll find it can be simpler with an automated platform. Contact us today to learn how we can support your organization in preparing for these updates.

FortifyData: One Platform, Total Visibility, Continuous Protection

FortifyData is a leading automated Cyber GRC and continuous cyber risk monitoring platform that empowers clients to reduce their cyber risk. By consolidating tools and providing a unified view of integrated security data and compliance, FortifyData offers continuous monitoring and automation, acting as a force multiplier for security and compliance teams and significantly improving cybersecurity posture.

FortifyData’s platform helps hospitals and healthcare organizations to prevent breaches, defend patient data, and meet security expectations and requirements while streamlining and rationalizing cybersecurity investments.

Threat Exposure Management Dashboard FortifyData

Have questions about this white paper or want to see a demo?

Reach out to FortifyData to discuss your organization’s approach and needs.