HHS unveils proposed updates to the HIPAA security rule, introducing modern safeguards to combat rising cyber threats in healthcare.
What happened
The U.S. Department of Health and Human Services (HHS) has proposed the first significant updates to the HIPAA security rule in over a decade, aiming to enhance cybersecurity measures across the healthcare industry. The draft Notice of Proposed Rulemaking (NMPR) was published on December 30, 2024, and is set to be added to the Federal Register on January 6, 2025. The proposal invites feedback from HIPAA-regulated entities, healthcare stakeholders, and the public, with a 60-day comment period following its Federal Register publication.
The proposed updates follow a rise in healthcare data breaches and ransomware attacks, with 2024 marking the exposure of personal health information for more than 180 million individuals in large-scale incidents. The updates are intended to address gaps in cybersecurity practices and align regulations with modern technology and threats.
Going deeper
The HIPAA security rule was initially designed to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). However, it was created to be technology-agnostic and flexible, making it increasingly outdated as technology and cyber threats have advanced.
The updates in the proposed rule include:
- Encryption of ePHI at rest and in transit to protect data from unauthorized access.
- Mandatory multi-factor authentication for access to ePHI systems.
- Network segmentation to limit lateral movement by attackers.
- Regular vulnerability scanning and penetration testing to identify and address security gaps.
Additional measures include annual HIPAA security rule compliance audits, enhanced incident response plans, and updated contingency planning to ensure healthcare organizations can restore operations within 72 hours of a cyberattack.
These updates also remove the previous distinction between required and addressable implementation specifications, making most safeguards mandatory, with few exceptions.
What was said
Deputy National Security Advisor for Cyber and Emerging Technologies, Anne Neuberger discussed the urgency, stating, "The security rule was last revised in 2013, so this update is long overdue. Encryption and other measures are critical to protecting patient data from being leaked or misused."
Neuberger estimated that implementing the updated rule would cost approximately $9 billion in the first year and an additional $6 billion over the next four years but stressed that the cost of inaction poses even greater risks to patient safety and critical healthcare infrastructure.
The big picture
The proposed updates reflect growing concerns about the frequency and severity of cyberattacks targeting healthcare systems. With bipartisan support for enhancing healthcare cybersecurity, the proposed rule aims to establish more rigorous safeguards for ePHI, ensuring healthcare providers, insurers, and other covered entities are better equipped to handle the shifting threat environment. These updates signal a step toward protecting both patients and the healthcare system from the escalating risks of cyberattacks.
FAQs
What is the HIPAA security rule?
It sets standards to protect electronic protected health information (ePHI) from unauthorized access.
What is multi-factor authentication (MFA)?
MFA requires verifying identity using multiple methods, like a password and a physical device.
What is ePHI?
ePHI is health information that identifies individuals and is stored or transmitted electronically.
What is network segmentation?
It divides networks into smaller sections to limit access and contain cyberattacks.
What are vulnerability scans and penetration tests?
Vulnerability scans find system weaknesses; penetration tests simulate attacks to expose them.
Farah Amod
