HHS unveils proposed updates to the HIPAA security rule, introducing modern safeguards to combat rising cyber threats in healthcare.
The U.S. Department of Health and Human Services (HHS) has proposed the first significant updates to the HIPAA security rule in over a decade, aiming to enhance cybersecurity measures across the healthcare industry. The draft Notice of Proposed Rulemaking (NMPR) was published on December 30, 2024, and is set to be added to the Federal Register on January 6, 2025. The proposal invites feedback from HIPAA-regulated entities, healthcare stakeholders, and the public, with a 60-day comment period following its Federal Register publication.
The proposed updates follow a rise in healthcare data breaches and ransomware attacks, with 2024 marking the exposure of personal health information for more than 180 million individuals in large-scale incidents. The updates are intended to address gaps in cybersecurity practices and align regulations with modern technology and threats.
The HIPAA security rule was initially designed to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). However, it was created to be technology-agnostic and flexible, making it increasingly outdated as technology and cyber threats have advanced.
The updates in the proposed rule include:
Additional measures include annual HIPAA security rule compliance audits, enhanced incident response plans, and updated contingency planning to ensure healthcare organizations can restore operations within 72 hours of a cyberattack.
These updates also remove the previous distinction between required and addressable implementation specifications, making most safeguards mandatory, with few exceptions.
Deputy National Security Advisor for Cyber and Emerging Technologies, Anne Neuberger discussed the urgency, stating, "The security rule was last revised in 2013, so this update is long overdue. Encryption and other measures are critical to protecting patient data from being leaked or misused."
Neuberger estimated that implementing the updated rule would cost approximately $9 billion in the first year and an additional $6 billion over the next four years but stressed that the cost of inaction poses even greater risks to patient safety and critical healthcare infrastructure.
The proposed updates reflect growing concerns about the frequency and severity of cyberattacks targeting healthcare systems. With bipartisan support for enhancing healthcare cybersecurity, the proposed rule aims to establish more rigorous safeguards for ePHI, ensuring healthcare providers, insurers, and other covered entities are better equipped to handle the shifting threat environment. These updates signal a step toward protecting both patients and the healthcare system from the escalating risks of cyberattacks.
It sets standards to protect electronic protected health information (ePHI) from unauthorized access.
MFA requires verifying identity using multiple methods, like a password and a physical device.
ePHI is health information that identifies individuals and is stored or transmitted electronically.
It divides networks into smaller sections to limit access and contain cyberattacks.
Vulnerability scans find system weaknesses; penetration tests simulate attacks to expose them.