To enhance ePHI protections, address compliance gaps, and strengthen resilience against cybersecurity challenges, HHS is issuing a Notice of Proposed Rulemaking (NPRM) to bolster the HIPAA Security Rule.
Adapting to a Transforming Digital Environment
The last major revision to the HIPAA Security Rule occurred in 2013. Since then, the healthcare industry has experienced dramatic advancements in technology and an increase in cyber risks. With nearly 80% of physician practices and 96% of hospitals now utilizing EHRs, digital tools have become indispensable to modern healthcare. However, these innovations expose healthcare organizations to cyber threats, as bad actors increasingly target the sector with ransomware attacks and other malicious activities.
The notice stated that the rise in cybercrime underscores the urgency of updating the Security Rule. “Almost every stage of modern healthcare relies on stable and secure computer and network technologies.” The NPRM looks to address this new reality by incorporating updated security practices and providing greater clarity for regulated entities.
HHS’s Office for Civil Rights (OCR) highlights the trends in breaches, reporting significant growth in incidents involving 500 or more individuals. The notice noted that the healthcare sector’s critical infrastructure designation by the President amplifies the importance of robust cybersecurity measures.
Key Proposals in the NPRM
The NPRM introduces several changes aimed at strengthening the Security Rule. Among these is the requirement for regulated entities to implement encryption for ePHI. According to the notice, while encryption has been a safeguard under current rules, it is now proposed as a mandatory standard. “By expressly requiring encryption, with limited exceptions, the Department’s proposal would reflect our expectations in the current cybersecurity environment.”
Another proposal focuses on technology asset inventory and data flow mapping. These measures aim to improve the thoroughness of risk analyses by ensuring organizations can identify all locations where ePHI is created, received, maintained, or transmitted. The notice states that such practices are critical for addressing vulnerabilities throughout the data lifecycle, reducing exposure to potential breaches.
The adoption of multi-factor authentication (MFA) also takes center stage in the NPRM. This method is proposed as a standard safeguard to prevent unauthorized access to systems containing ePHI. “Implementing MFA is a vital step toward enhancing security and reducing the risk of breaches,” the notice highlighted.
To address inconsistencies in compliance, the NPRM also proposes measures to harmonize federal and state cybersecurity requirements. The patchwork of existing state-level regulations creates challenges for health systems operating across multiple jurisdictions. According to the notice, a streamlined federal framework would help alleviate these administrative burdens while ensuring uniform protection for ePHI.
Addressing Compliance Gaps
The OCR’s investigations into cybersecurity incidents has revealed significant deficiencies in how regulated entities implement the existing Security Rule. The NPRM seeks to close these gaps by clarifying expectations and codifying best practices as explicit requirements. While current rules allow organizations to decide whether encryption is “reasonable and appropriate,” the proposed changes would remove this discretion in most cases.
Additionally, the NPRM emphasizes the importance of a proactive approach to security. The notice states that “a strengthened Security Rule would continue to be flexible and scalable while providing regulated entities with greater clarity.” By making explicit what is currently implied, the proposed changes aim to reduce ambiguity and foster greater consistency in compliance efforts.
The NPRM also highlights the need for regular updates to security measures. “Regulated entities must review and modify security measures as needed to ensure reasonable and appropriate protection of ePHI,” emphasizing that static approaches to cybersecurity are insufficient.
Implications for Health Systems
For health systems, the proposed changes may mean significant adjustments to existing cybersecurity strategies. Implementing mandatory encryption, conducting comprehensive technology asset inventories, and deploying MFA will likely require investments in technology and workforce. However, the notice argues that the benefits of enhanced security far outweigh the costs, particularly given the financial and reputational damage associated with breaches.
“The health care environment has changed significantly, and it is reasonable and appropriate to strengthen the Security Rule to address these changes,” the notice stated.
Health systems may also benefit from the NPRM’s emphasis on harmonization. A unified federal framework can reduce the complexity of managing cybersecurity compliance across multiple states. This allows organizations to focus resources on implementing effective protections rather than navigating conflicting regulations.
Comments Wanted
HHS is seeking feedback from stakeholders, including IT executives at health systems, to refine the proposed changes. The NPRM is scheduled to be published in the Federal Register on 01/06/2025 and available online at https://federalregister.gov/d/2024-30983, and on https://govinfo.gov. Comments must be submitted within 60 days of publication.
Share Your Thoughts
You must be logged in to post a comment.